{"id":"CURL-CVE-2016-9952","summary":"Win CE Schannel cert wildcard matches too much","details":"curl's TLS server certificate checks are flawed on Windows CE.\n\nThis vulnerability occurs in the verify certificate function when comparing a\nwildcard certificate name (as returned by the Windows API function\n`CertGetNameString)` to the hostname used to make the connection to the\nserver.\n\nThe vulnerability can be triggered with an overly permissive wildcard SAN in\nthe server certificate such as a DNS name of `*.com`. When the function\ncompares the cert name to the connection hostname, the wildcard character is\nremoved from the cert name and the connection hostname is checked to see if it\nends with the modified cert name. This means a hostname of example.com would\nmatch a DNS SAN of `*.com`, among other variations. This approach violates\nrecommendations in RFC 6125 and could lead to MITM attacks.","aliases":["CVE-2016-9952"],"modified":"2026-05-21T06:00:09.675292523Z","published":"2016-12-21T08:00:00Z","database_specific":{"affects":"both","URL":"https://curl.se/docs/CVE-2016-9952.json","www":"https://curl.se/docs/CVE-2016-9952.html","last_affected":"7.51.0","severity":"Medium","package":"curl","CWE":{"desc":"Improper Certificate Validation","id":"CWE-295"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.27.0"},{"fixed":"7.52.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"4ab2d26cb83dfbb74ba9eeaaa4835b4dd12883d4"},{"fixed":"0354eed41085baa5ba8777019ebf5e9ef32c001d"}]}],"versions":["7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","curl-7_51_0","curl-7_50_3","curl-7_50_2","curl-7_50_1","curl-7_50_0","curl-7_49_1","curl-7_49_0","curl-7_48_0","curl-7_47_1","curl-7_47_0","curl-7_46_0","curl-7_45_0","curl-7_44_0","curl-7_43_0","curl-7_42_1","curl-7_42_0","curl-7_41_0","curl-7_40_0","curl-7_39_0","curl-7_38_0","curl-7_37_1","curl-7_37_0","curl-7_36_0","curl-7_35_0","curl-7_34_0","curl-7_33_0","curl-7_32_0","curl-7_31_0","curl-7_30_0","curl-7_29_0","curl-7_28_1","curl-7_28_0","curl-7_27_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2016-9952.json"}}],"schema_version":"1.7.5","credits":[{"name":"Dan McNulty","type":"FINDER"},{"name":"Dan McNulty","type":"REMEDIATION_DEVELOPER"}]}