CVE-2016-9586

Vulnerability

CVE-2016-9586 is a stack-based buffer overflow in libcurl's implementation of the printf() functions. The flaw occurs when a large floating-point output exceeds 255 bytes; the conversion uses system functions without proper boundary checks [2][3]. The bug affects curl versions 5.4 through 7.51.0 inclusive, and does not exist in the command line tool [3].

Exploitation

An attacker can exploit this vulnerability if an application accepts an externally supplied format string without adequate input filtering. The attacker would craft a format string that triggers a floating-point conversion producing more than 255 bytes [1][2]. The exploit requires network access to send the malicious input, but no prior authentication if the application processes untrusted format strings. No known exploit was reported at disclosure time [2].

Impact

A successful attack results in a stack-based buffer overflow (CWE-121) [3], which can lead to memory corruption. The impact may range from denial of service to potential arbitrary code execution, depending on how the application uses the curl_mprintf() functions. The attacker could achieve remote code execution at the privilege level of the affected process, potentially compromising confidentiality, integrity, and availability [1][4].

Mitigation

The vulnerability is fixed in curl version 7.52.0, released on December 21, 2016 [3]. The fix limits floating-point output to fit within the fixed-size buffer. Red Hat provided updates in httpd24-curl 7.61.1 [1]. Gentoo recommended upgrading to >=net-misc/curl-7.52.1 [4]. There is no known workaround; users should upgrade libcurl or apply the upstream patch [3]. The affected printf functions have been deprecated and should not be used in new programs.