CURL-CVE-2016-8617

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2016-8617.html

Import Source

https://curl.se/docs/CURL-CVE-2016-8617.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2016-8617

Aliases

CVE-2016-8617

Published

2016-11-02T08:00:00Z

Modified

2026-05-18T13:46:16.636214Z

Summary

OOB write via unchecked multiplication

Details

In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize:

malloc( insize * 4 / 3 + 4 )

On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the multiplication in the expression wraps around if insize is at least 1GB of data. If this happens, an undersized output buffer is allocated, but the full result is written, thus causing the memory behind the output buffer to be overwritten.

If a username is set directly via CURLOPT_USERNAME (or curl's -u, --user option), this vulnerability can be triggered. The name has to be at least 512MB big in a 32-bit system.

Systems with 64-bit versions of the size_t type are not affected by this issue.

Database specific

{
    "URL": "https://curl.se/docs/CVE-2016-8617.json",
    "www": "https://curl.se/docs/CVE-2016-8617.html",
    "CWE": {
        "id": "CWE-131",
        "desc": "Incorrect Calculation of Buffer Size"
    },
    "package": "curl",
    "severity": "Medium",
    "affects": "both",
    "last_affected": "7.50.3"
}

References

Credits

- Cure53 - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.8.1

Fixed

7.51.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

00b00c693127d9e3a4eedce4c8cdf6e87087192d

Fixed

efd24d57426bd77c9b5860e6b297904703750412

Affected versions

7.*

7.10

7.10.1

7.10.2

7.10.3

7.10.4

7.10.5

7.10.6

7.10.7

7.10.8

7.11.0

7.11.1

7.11.2

7.12.0

7.12.1

7.12.2

7.12.3

7.13.0

7.13.1

7.13.2

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3

7.16.4

7.17.0

7.17.1

7.18.0

7.18.1

7.18.2

7.19.0

7.19.1

7.19.2

7.19.3

7.19.4

7.19.5

7.19.6

7.19.7

7.20.0

7.20.1

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.8.1

7.9

7.9.1

7.9.2

7.9.3

7.9.4

7.9.5

7.9.6

7.9.7

7.9.8

Other

before_ftp_statemachine

before_urldata_rename

curl-7_10

curl-7_10_1

curl-7_10_2

curl-7_10_3

curl-7_10_4

curl-7_10_5

curl-7_10_6

curl-7_10_7

curl-7_10_8

curl-7_11_0

curl-7_11_1

curl-7_11_2

curl-7_12_0

curl-7_12_1

curl-7_12_2

curl-7_12_3

curl-7_13_0

curl-7_13_1

curl-7_13_2

curl-7_14_0

curl-7_14_1

curl-7_15_0

curl-7_15_1

curl-7_15_2

curl-7_15_3

curl-7_15_4

curl-7_15_5

curl-7_15_6-prepipeline

curl-7_16_0

curl-7_16_1

curl-7_16_2

curl-7_16_3

curl-7_16_4

curl-7_17_0

curl-7_17_0-preldapfix

curl-7_17_1

curl-7_18_0

curl-7_18_1

curl-7_18_2

curl-7_19_0

curl-7_19_1

curl-7_19_2

curl-7_19_3

curl-7_19_4

curl-7_19_5

curl-7_19_6

curl-7_19_7

curl-7_20_0

curl-7_20_1

curl-7_21_0

curl-7_21_1

curl-7_21_2

curl-7_21_3

curl-7_21_4

curl-7_21_5

curl-7_21_6

curl-7_21_7

curl-7_22_0

curl-7_23_0

curl-7_23_1

curl-7_25_0

curl-7_26_0

curl-7_27_0

curl-7_28_0

curl-7_28_1

curl-7_29_0

curl-7_30_0

curl-7_31_0

curl-7_32_0

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

curl-7_49_0

curl-7_49_1

curl-7_50_0

curl-7_50_1

curl-7_50_2

curl-7_50_3

curl-7_8_1

curl-7_8_1-pre3

curl-7_9

curl-7_9_1

curl-7_9_2

curl-7_9_3

curl-7_9_3-pre1

curl-7_9_3-pre2

curl-7_9_3-pre3

curl-7_9_4

curl-7_9_5

curl-7_9_5-pre2

curl-7_9_5-pre4

curl-7_9_6

curl-7_9_7

curl-7_9_7-pre2

curl-7_9_8

Database specific

vanir_signatures_modified

"2026-05-18T13:46:16Z"

source

"https://curl.se/docs/CURL-CVE-2016-8617.json"

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "330189580163966104573813564222353944049",
                "251539769233120043131544711578422921980",
                "110228242315381419112297075161928694033"
            ]
        },
        "deprecated": false,
        "id": "CURL-CVE-2016-8617-36b10dd2",
        "source": "https://github.com/curl/curl.git/commit/efd24d57426bd77c9b5860e6b297904703750412",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "lib/base64.c"
        }
    },
    {
        "digest": {
            "length": 1573.0,
            "function_hash": "339377937843865329842231627374085505111"
        },
        "deprecated": false,
        "id": "CURL-CVE-2016-8617-acca1aa4",
        "source": "https://github.com/curl/curl.git/commit/efd24d57426bd77c9b5860e6b297904703750412",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "lib/base64.c",
            "function": "base64_encode"
        }
    }
]