{"id":"CURL-CVE-2016-8618","summary":"double free in curl_maprintf","details":"The libcurl API function called `curl_maprintf()` can be tricked into doing a\ndouble free due to an unsafe `size_t` multiplication, on systems using 32-bit\n`size_t` variables. The function is also used internally in numerous\nsituations.\n\nThe function doubles an allocated memory area with realloc() and allows the\nsize to wrap and become zero and when doing so realloc() returns NULL *and*\nfrees the memory - in contrary to normal realloc() fails where it only returns\nNULL - causing libcurl to free the memory *again* in the error path.\n\nSystems with 64-bit versions of the `size_t` type are not affected by this\nissue.\n\nThis behavior can be triggered using the publicly exposed function.","aliases":["CVE-2016-8618"],"modified":"2026-04-25T20:30:37.098978Z","published":"2016-11-02T08:00:00Z","database_specific":{"severity":"Medium","CWE":{"id":"CWE-415","desc":"Double Free"},"package":"curl","last_affected":"7.50.3","www":"https://curl.se/docs/CVE-2016-8618.html","URL":"https://curl.se/docs/CVE-2016-8618.json","affects":"lib"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"5.4"},{"fixed":"7.51.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ae1912cb0d494b48d514d937826c9fe83ec96c4d"},{"fixed":"8732ec40db652c53fa58cd13e2acb8eab6e40874"}]}],"versions":["7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11","5.10","5.9.1","5.9","5.8","5.7.1","5.7","5.5.1","5.5","5.4"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:30:37Z","source":"https://curl.se/docs/CURL-CVE-2016-8618.json","vanir_signatures":[{"id":"CURL-CVE-2016-8618-3996a379","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/8732ec40db652c53fa58cd13e2acb8eab6e40874","digest":{"threshold":0.9,"line_hashes":["75001522080495210994942552173599286844","33681074299352035313543029090030846296","204015374357296351363811040425450728475","299155305587589138460013865940564890961","96936233615004794329957547192559596526","90287887445889568938957656822370667388","195868362582029098998770542972876136014","163078986883876347185984189768736405766","301726664660379874073292589691579526552","313621663194152868306095671590885470158","204348933679422222305263277793262229939"]},"target":{"file":"lib/mprintf.c"},"signature_type":"Line"},{"id":"CURL-CVE-2016-8618-d7a27ded","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/8732ec40db652c53fa58cd13e2acb8eab6e40874","digest":{"function_hash":"30940192872577281112764343774121106408","length":566},"target":{"function":"alloc_addbyter","file":"lib/mprintf.c"},"signature_type":"Function"}]}}],"schema_version":"1.7.5","credits":[{"name":"Cure53","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}