CURL-CVE-2016-8622

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2016-8622.html

Import Source

https://curl.se/docs/CURL-CVE-2016-8622.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2016-8622

Aliases

CVE-2016-8622

Published

2016-11-02T08:00:00Z

Modified

2026-05-29T05:40:50.769705Z

Summary

URL unescape heap overflow via integer truncation

Details

The URL percent-encoding decode function in libcurl is called curl_easy_unescape. Internally, even if this function would be made to allocate a destination buffer larger than 2GB, it would return that new length in a signed 32-bit integer variable, thus the length would get either truncated only or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

This can be triggered by a user on a 64-bit system if the user can send in a custom (large) URL to a libcurl using program.

Database specific

{
    "www": "https://curl.se/docs/CVE-2016-8622.html",
    "CWE": {
        "id": "CWE-122",
        "desc": "Heap-based Buffer Overflow"
    },
    "package": "curl",
    "last_affected": "7.50.3",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2016-8622.json",
    "severity": "Medium"
}

References

Credits

- Cure53 - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.24.0

Fixed

7.51.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

75ca568fa1c19de4c5358fed246686de8467c238

Fixed

53e71e47d6b81650d26ec33a58d0dca24c7ffb2c

Affected versions

7.*

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

Other

curl-7_24_0

curl-7_25_0

curl-7_26_0

curl-7_27_0

curl-7_28_0

curl-7_28_1

curl-7_29_0

curl-7_30_0

curl-7_31_0

curl-7_32_0

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_42_1

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

curl-7_49_0

curl-7_49_1

curl-7_50_0

curl-7_50_1

curl-7_50_2

curl-7_50_3

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "280124531524246386527463823407672458088",
                "244082486092391395949212374394278231640",
                "18892424654263822203327588007609056877",
                "278598452881503400689901175441770113675",
                "32713264157592440947457122841913801357"
            ],
            "threshold": 0.9
        },
        "id": "CURL-CVE-2016-8622-51da99ae",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/53e71e47d6b81650d26ec33a58d0dca24c7ffb2c",
        "target": {
            "file": "lib/escape.c"
        }
    },
    {
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "85531600349396079370279736753091447969",
                "240830358155089182095150392992557439355",
                "33138173598708421065494355058414820438",
                "104582267161206224574623770745516623688",
                "39351097544233358387518424182548325223",
                "219042475641267385453072629984152282414",
                "169441797146195818311475194170666887725",
                "185145315697199084722351916857164174407",
                "307687845678070680086753193956844669239",
                "300950789835624101760419461884698879278",
                "340069576809379767714208729173611481098",
                "256718428584902334278504435026204753579"
            ],
            "threshold": 0.9
        },
        "id": "CURL-CVE-2016-8622-8f3c4e22",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/53e71e47d6b81650d26ec33a58d0dca24c7ffb2c",
        "target": {
            "file": "lib/dict.c"
        }
    },
    {
        "signature_type": "Function",
        "digest": {
            "length": 316.0,
            "function_hash": "243118882729615901503887179107051868975"
        },
        "id": "CURL-CVE-2016-8622-b17dc4f0",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/53e71e47d6b81650d26ec33a58d0dca24c7ffb2c",
        "target": {
            "function": "curl_easy_unescape",
            "file": "lib/escape.c"
        }
    },
    {
        "signature_type": "Function",
        "digest": {
            "length": 536.0,
            "function_hash": "111198999320162444531431132207148947414"
        },
        "id": "CURL-CVE-2016-8622-e8a9880d",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/53e71e47d6b81650d26ec33a58d0dca24c7ffb2c",
        "target": {
            "function": "unescape_word",
            "file": "lib/dict.c"
        }
    }
]

source

"https://curl.se/docs/CURL-CVE-2016-8622.json"

vanir_signatures_modified

"2026-05-29T05:40:50Z"