CVE-2016-9586

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.52.0

Description The issue arises from a buffer overflow in libcurl's implementation of the printf() functions when handling large floating point output. This occurs because the floating point conversion uses system functions without proper boundary checks, specifically when the conversion outputs more than 255 bytes. The affected functions are deprecated and planned for removal, but their current presence and lack of prevention against their use suggest there may be existing users. If an application accepts a format string from an external source without proper filtering, it could be exploited for remote attacks.

Recommendations For versions prior to 7.52.0, update to version 7.52.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the deprecated printf() functions in libcurl until a patch is applied. Restrict access to applications that accept format strings from external sources without necessary input filtering to minimize the risk of exploitation.