PT-2016-7788 · Curl+1 · Curl+1

Kamil Dudka

Published

2016-12-23

Updated

2026-05-18

CVE-2016-9594

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.52.1

Description The issue arises from an uninitialized random value in libcurl's internal function, which is used to generate nonces for Digest and NTLM authentication, boundary strings in HTTP formposts, and more. This weak or virtually non-existent random value makes the operations that use it vulnerable. The internal function was implemented poorly, overwriting the pointer instead of writing the value into the buffer the pointer pointed to.

Recommendations For versions prior to 7.52.1, update to version 7.52.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of Digest and NTLM authentication, as well as HTTP formposts, until a patch is available.

Fix

Use of Insufficiently Random Values

Improper Initialization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330CWE-665

Related Identifiers

ALT-PU-2016-2479

ALT-PU-2018-2456

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2016-9594

OPENSUSE-SU-2024:10582-1

Affected Products

Alt Linux

Curl

PT-2016-7788 · Curl+1 · Curl+1

CVE-2016-9594

Weakness Enumeration

Related Identifiers

Affected Products

References · 316