CVE-2019-5436

HIGH

libcurl <7.64.1 - Buffer Overflow

Title source: llm
STIX 2.1

Description

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.

References (14)

Core 14
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/09/11/6
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4633
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Feb/36
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202003-29
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190606-0004/
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://curl.haxx.se/docs/CVE-2019-5436.html
Third Party Advisory x_refsource_confirm
https://support.f5.com/csp/article/K55133295

Scores

CVSS v3 7.8
EPSS 0.1358
EPSS Percentile 94.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-122 CWE-787
Status published
Products (16)
curl/curl Fixed in 7.65.0
debian/debian_linux 9.0
debian/debian_linux 10.0
f5/traffix_signaling_delivery_controller 5.0.0 - 5.1.0
fedoraproject/fedora 29
haxx/libcurl 7.19.4 - 7.64.1
netapp/hci_management_node
netapp/solidfire
netapp/steelstore_cloud_integrated_storage
opensuse/leap 15.0
... and 6 more
Published May 28, 2019
Tracked Since Feb 18, 2026