CVE-2016-9953

Name of the Vulnerable Software and Affected Versions libcurl versions 7.30.0 through 7.51.0

Description The issue allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read. This occurs in the verify certificate function when comparing a wildcard certificate name to the hostname used to make the connection to the server. The pattern matching logic exhibits an out of bounds read, potentially leaking the contents of memory immediately preceding the connection hostname buffer.

Recommendations For libcurl versions 7.30.0 through 7.51.0, consider disabling the verify certificate function until a patch is available, or restrict the use of wildcard certificate names to minimize the risk of exploitation. Additionally, ensure that the CertGetNameString() function is used carefully to avoid potential out-of-bounds reads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.