PT-2022-5976 · Curl+5 · Curl+5
Kurohiro
·
Published
2022-10-26
·
Updated
2026-05-18
·
CVE-2022-35260
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
curl versions prior to 7.86.0
Description
The issue is related to an error in parsing the .netrc file for credentials, which can lead to a denial-of-service. If a malicious user can provide a custom .netrc file to an application or otherwise affect its contents, this flaw could be used to cause the application to crash or experience other unexpected behavior. The .netrc file can be crafted to contain a line with 4095 consecutive non-white space letters and no newline, causing the application to read past the end of the stack-based buffer and potentially write a zero byte beyond its boundary.
Recommendations
Update to curl version 7.86.0 or later to resolve the issue. As a temporary workaround, consider restricting access to custom .netrc files or validating their contents to prevent malicious input. Avoid using .netrc files with untrusted or unvalidated contents until the issue is resolved.
Exploit
Fix
DoS
Exposure of Resource to Wrong Sphere
Out of bounds Read
Information Disclosure
Stack Overflow
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Linuxmint
Apple Macos
Red Os
Ubuntu
Curl