CVE-2018-13346
Description
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mercurial before 4.6.1 has an out-of-bounds read in mpatch_apply when a fragment start is past the data end, leading to denial of service or information disclosure.
Vulnerability
The mpatch_apply function in mpatch.c in Mercurial before version 4.6.1 (released 2018-06-06) improperly proceeds with a binary patch when the fragment start offset exceeds the length of the original data. This condition, tracked as OVE-20180430-0004, allows a crafted patch to trigger an out-of-bounds memory access during the application of MPatch deltas. The bug affects all Mercurial versions prior to 4.6.1 as indicated by the advisory [1][4].
Exploitation
An attacker must craft a malicious MPatch binary patch where at least one fragment specifies a start position beyond the end of the original data buffer. The attack can be delivered remotely if a victim clones or pulls a repository containing such a patch from an untrusted source, or locally if a user applies a patch file with the crafted content. No special authentication or user interaction beyond applying the patch is required; the vulnerable code path is reached during normal patching operations [1][3].
Impact
Successful exploitation causes the mpatch_apply function to read memory outside the intended buffer (out-of-bounds read). This can result in a crash (denial of service) or, in some configurations, disclosure of sensitive heap memory contents (information disclosure). The attacker does not gain code execution directly, but the leaked memory may contain credentials or other private data [3][4].
Mitigation
Mercurial 4.6.1, released on 2018-06-06, contains the fix for this vulnerability [1]. Users are advised to upgrade to Mercurial 4.6.1 or later. Red Hat Enterprise Linux users can apply the patch via RHSA-2019:2276 [2]. No workaround is available for unpatched versions. If an upgrade cannot be performed immediately, avoid applying patches from untrusted sources [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mercurialPyPI | < 4.6.1 | 4.6.1 |
Affected products
5- ghsa-coords5 versionspkg:pypi/mercurialpkg:rpm/opensuse/mercurial&distro=openSUSE%20Tumbleweedpkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 4.6.1+ 4 more
- (no CPE)range: < 4.6.1
- (no CPE)range: < 5.9.1-2.1
- (no CPE)range: < 4.5.2-3.3.1
- (no CPE)range: < 2.3.2-0.18.9.1
- (no CPE)range: < 2.8.2-15.13.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2019:2276ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-9xv4-r2hf-26ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-13346ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-88.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2020/07/msg00032.htmlghsamailing-listx_refsource_MLISTWEB
- www.mercurial-scm.org/repo/hg/rev/faa924469635ghsax_refsource_MISCWEB
- www.mercurial-scm.org/wiki/WhatsNewghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.