CVE-2018-16890 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2018-16890

CVE-2018-16890

Published:February 06, 2019

Updated:May 17, 2026

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages ("lib/vauth/ntlm.c:ntlm_decode_type2_target") does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

Related Resources (15)

https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16890

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://security.netapp.com/advisory/ntap-20190315-0001/

https://www.debian.org/security/2019/dsa-4386

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://access.redhat.com/errata/RHSA-2019:3701

https://support.f5.com/csp/article/K03314397?utm_source=f5support&amp%3Butm_medium=RSS

https://access.redhat.com/security/cve/CVE-2018-16890

https://security-tracker.debian.org/tracker/CVE-2018-16890

https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E