CVE-2018-13348
Description
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mercurial before 4.6.1 has a heap buffer over-read in mpatch_decode due to insufficient length validation of patch data.
Vulnerability
The vulnerability resides in the mpatch_decode function in mpatch.c of Mercurial. The function mishandles situations where at least 12 bytes are expected to remain after the current position in patch data, but fewer bytes are actually available. This leads to a heap buffer over-read. All versions of Mercurial before 4.6.1 are affected [1][2].
Exploitation
An attacker can trigger this vulnerability by supplying a specially crafted patch file to a vulnerable Mercurial instance. The attacker does not need any special privileges; the vulnerability can be triggered simply by applying a malicious patch or cloning a repository that contains such a patch. No user interaction beyond normal repository operations is required [2].
Impact
Successful exploitation results in a heap buffer over-read, which could allow an attacker to read out-of-bounds memory. This may lead to information disclosure of sensitive data in the heap, and under certain conditions could be leveraged for further attacks. The precise impact depends on the heap layout and the data present in adjacent memory [2].
Mitigation
The vulnerability is fixed in Mercurial version 4.6.1, which was released on 2018-06-06 [1]. Users should upgrade to Mercurial 4.6.1 or later. No workarounds are known for unpatched versions [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mercurialPyPI | < 4.6.1 | 4.6.1 |
Affected products
5- ghsa-coords5 versionspkg:pypi/mercurialpkg:rpm/opensuse/mercurial&distro=openSUSE%20Tumbleweedpkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 4.6.1+ 4 more
- (no CPE)range: < 4.6.1
- (no CPE)range: < 5.9.1-2.1
- (no CPE)range: < 4.5.2-3.3.1
- (no CPE)range: < 2.3.2-0.18.9.1
- (no CPE)range: < 2.8.2-15.13.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-3v62-ww8w-758mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-13348ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-90.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2020/07/msg00032.htmlghsamailing-listx_refsource_MLISTWEB
- www.mercurial-scm.org/repo/hg/rev/90a274965de7ghsax_refsource_MISCWEB
- www.mercurial-scm.org/wiki/WhatsNewghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.