CVE-2018-16842

Vulnerability

Curl versions 7.14.1 through 7.61.1 inclusive contain a heap-based buffer over-read in the tool_msgs.c:voutf() function. When the command-line tool generates specially crafted warning messages, the function reads beyond the intended buffer boundary. The bug is reachable in normal usage without special configuration beyond invoking the curl executable in a context where it produces such messages [1][2].

Exploitation

An attacker can trigger the over-read by causing the curl tool to output a warning message whose internal formatting leads to an out‑of‑bounds read. The attacker does not need authentication; they only need to make curl process a crafted input (for example, a URL or server response) that elicits the vulnerable warning path. No user interaction beyond running the curl command is required [2][3].

Impact

A successful exploit may result in disclosure of adjacent heap memory, potentially exposing sensitive information such as passwords, cookies, or other data that resides in the process heap. Additionally, the over-read can cause the application to crash, leading to a denial of service. The bug does not allow arbitrary code execution of any kind [1][2][3].

Mitigation

The vulnerability is fixed in curl version 7.62.0, released on October 31, 2018. Red Hat, Ubuntu, and other distributors have issued updated packages (e.g., RHSA-2019:2181, USN-3805-1, USN-3805-2). Users should upgrade to curl 7.62.0 or later. No workaround is available for versions that remain unpatched [1][3][4].