libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCanonical Ubuntu
OSCanonical14.0416.0418.0418.10Debian
OSDebian9.0Haxx Libcurl
APPHaxx7.36.0 – 7.64.0 (bez)Netapp Active Iq Unified Manager
APPNetapp≥ 7.3≥ 9.5Netapp Clustered Data Ontap
APPNetappwszystkie wersjeNetapp Oncommand Insight
APPNetappwszystkie wersjeNetapp Oncommand Workflow Automation
APPNetappwszystkie wersjeNetapp Snapcenter
APPNetappwszystkie wersjeOracle Communications Operations Monitor
APPOracle3.44.0Oracle Enterprise Manager Ops Center
APPOracle12.3.312.4.0Oracle HTTP Server
APPOracle12.2.1.3.0Oracle MySQL Server
APPOracle5.7.27 – 8.0.15≤ 5.7.26Oracle Secure Global Desktop
APPOracle5.4Oracle Services Tools Bundle
APPOracle19.2Red Hat Enterprise Linux
OSRedhat8.0Siemens Sinema Remote Connect Client
APPSiemens≤ 2.0
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki