CVE-2018-17983
Description
cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Mercurial before 4.7.2, parsing a malformed manifest entry in cext/manifest.c triggers an out-of-bounds read.
Vulnerability
In Mercurial versions before 4.7.2, the cext/manifest.c file contains an out-of-bounds read vulnerability. The bug occurs during the parsing of a specially crafted manifest entry, where the code does not properly validate the length of the input before reading memory. Affected versions include all Mercurial releases prior to 4.7.2, as documented in the project's release notes [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious manifest entry to a repository that is then parsed by Mercurial. The attacker does not require any special authentication or network position, as the malformed entry can be introduced through a crafted commit or repository that a victim clones or pulls. The out-of-bounds read occurs automatically when the manifest is parsed during operations such as hg log, hg update, or other commands that process repository history [2][3].
Impact
Successful exploitation allows the attacker to cause an out-of-bounds read, which may lead to information disclosure of sensitive data from memory or a crash (denial of service). The impact is limited to read access beyond the intended buffer; there is no evidence of arbitrary code execution from this bug alone. The vulnerability affects the integrity of the manifest parsing process [2][3].
Mitigation
Mercurial 4.7.2 was released on 2018-10-01 and contains the fix for this vulnerability [1]. Users should upgrade to version 4.7.2 or later. The fix is available in the Mercurial repository (revision 5405cb1a7901) [4]. No workarounds are documented for unpatched versions; upgrading is the only mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mercurialPyPI | < 4.7.2 | 4.7.2 |
Affected products
3- ghsa-coords3 versionspkg:pypi/mercurialpkg:rpm/opensuse/mercurial&distro=openSUSE%20Tumbleweedpkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015
< 4.7.2+ 2 more
- (no CPE)range: < 4.7.2
- (no CPE)range: < 5.9.1-2.1
- (no CPE)range: < 4.5.2-3.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-p575-cf9h-wv42ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-17983ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-91.yamlghsaWEB
- www.mercurial-scm.org/repo/hg/rev/5405cb1a7901ghsax_refsource_MISCWEB
- www.mercurial-scm.org/wiki/WhatsNewghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.