Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2016-9586

Published: 21 December 2016

curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.

Priority

Low

CVSS 3 base score: 8.1

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
artful Not vulnerable
(7.52.1-5ubuntu1)
precise
Released (7.22.0-3ubuntu4.18)
trusty
Released (7.35.0-1ubuntu2.11)
upstream
Released (7.52.0)
xenial
Released (7.47.0-1ubuntu2.3)
yakkety Ignored
(reached end-of-life)
zesty Not vulnerable
(7.52.1-4ubuntu1.1)
Patches:
upstream: https://github.com/curl/curl/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9
upstream: https://curl.haxx.se/CVE-2016-9586.patch