CURL-CVE-2019-3822

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2019-3822.html

Import Source

https://curl.se/docs/CURL-CVE-2019-3822.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2019-3822

Aliases

CVE-2019-3822

Published

2019-02-06T08:00:00Z

Modified

2026-05-18T13:46:06.173106Z

Summary

NTLMv2 type-3 header stack buffer overflow

Details

libcurl contains a stack based buffer overflow vulnerability.

The function creating an outgoing NTLM type-3 header (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening.

This output data can grow larger than the local buffer if large response data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server.

Such large response data needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Database specific

{
    "affects": "both",
    "last_affected": "7.63.0",
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2019-3822.html",
    "severity": "High",
    "CWE": {
        "desc": "Stack-based Buffer Overflow",
        "id": "CWE-121"
    },
    "URL": "https://curl.se/docs/CVE-2019-3822.json"
}

References

Credits

- Wenxiang Qian of Tencent Blade Team - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER
- Huzaifa Sidhpurwala - OTHER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.36.0

Fixed

7.64.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

86724581b6c02d160b52f817550cfdfc9c93af62

Fixed

50c9484278c63b958655a717844f0721263939cc

Affected versions

7.*

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

Other

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

curl-7_49_0

curl-7_49_1

curl-7_50_0

curl-7_50_1

curl-7_50_2

curl-7_50_3

curl-7_51_0

curl-7_52_0

curl-7_52_1

curl-7_53_0

curl-7_53_1

curl-7_54_0

curl-7_54_1

curl-7_55_0

curl-7_55_1

curl-7_56_0

curl-7_56_1

curl-7_57_0

curl-7_58_0

curl-7_59_0

curl-7_60_0

curl-7_61_0

curl-7_61_1

curl-7_62_0

curl-7_63_0

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/curl/curl.git/commit/50c9484278c63b958655a717844f0721263939cc",
        "signature_version": "v1",
        "target": {
            "file": "lib/vauth/ntlm.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "46522549148290454789925570788080158728",
                "49236166746968004033894625933615643172",
                "293989637352139989590772450278867974609",
                "337876479484979625219132730045572941827",
                "28263089313798147067029949814912665161",
                "73333534050834162111357397437957432721",
                "272835995896107667374360360978373141065",
                "172736422550849646938343555519740730524"
            ],
            "threshold": 0.9
        },
        "id": "CURL-CVE-2019-3822-0fb0f4e0"
    },
    {
        "source": "https://github.com/curl/curl.git/commit/50c9484278c63b958655a717844f0721263939cc",
        "signature_version": "v1",
        "target": {
            "function": "Curl_auth_create_ntlm_type3_message",
            "file": "lib/vauth/ntlm.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 5186.0,
            "function_hash": "281456879565379301859239210676266882046"
        },
        "id": "CURL-CVE-2019-3822-4f5c57d6"
    }
]

vanir_signatures_modified

"2026-05-18T13:46:06Z"

source

"https://curl.se/docs/CURL-CVE-2019-3822.json"