MGASA-2016-0316
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 21 Sept 2016, 20:38
Last modified:16 Apr 2026, 06:26
Vulnerability Summary
Overall Risk (default)
minimal
0/100 CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
21 Sept 2016, 20:38
Published
Vulnerability first disclosed
16 Apr 2026, 06:26
Last Modified
Vulnerability information updated
Description
Updated curl packages fix security vulnerability The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. The provided string length arguments were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into (CVE-2016-7167).
Affected Systems
- mageia•curl
< 7.40.0-3.5.mga5