Description
ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Oct/41
Mailing List mailing-list
http://seclists.org/fulldisclosure/2022/Oct/28
Exploit, Mailing List, Vendor Advisory
https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html
Mailing List, Vendor Advisory
https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html
Third Party Advisory
https://support.apple.com/kb/HT213488
Scores
CVSS v3
7.1
EPSS
0.0004
EPSS Percentile
12.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-125
Status
published
Products (4)
apple/macos
< 13.0
debian/debian_linux
10.0
gnu/ncurses
6.3
gnu/ncurses
< 6.3
Published
Apr 18, 2022
Tracked Since
Feb 18, 2026