{"id":"CURL-CVE-2018-16839","summary":"SASL password overflow via integer overflow","details":"libcurl contains a buffer overrun in the SASL authentication code.\n\nThe internal function `Curl_auth_create_plain_message` fails to correctly\nverify that the passed in lengths for name and password are not too long, then\ncalculates a buffer size to allocate.\n\nOn systems with a 32-bit `size_t`, the math to calculate the buffer size\ntriggers an integer overflow when the username length exceeds 1GB and the\npassword name length is close to 2GB in size. This integer overflow usually\ncauses a tiny buffer to actually get allocated instead of the intended huge\none, making the use of that buffer end up in a heap buffer overflow.\n\n(This bug is similar to\n[CVE-2018-14618](https://curl.se/docs/CVE-2018-14618.html).)","aliases":["CVE-2018-16839"],"modified":"2026-04-25T20:30:33.155945Z","published":"2018-10-31T08:00:00Z","database_specific":{"severity":"Low","CWE":{"desc":"Incorrect Calculation of Buffer Size","id":"CWE-131"},"last_affected":"7.61.1","package":"curl","affects":"both","URL":"https://curl.se/docs/CVE-2018-16839.json","www":"https://curl.se/docs/CVE-2018-16839.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.33.0"},{"fixed":"7.62.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"c56f9797e7feb7c2dc93bc389d4b85cc75220d77"},{"fixed":"f3a24d7916b9173c69a3e0ee790102993833d6c5"}]}],"versions":["7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2018-16839.json","vanir_signatures_modified":"2026-04-25T20:30:33Z","vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5","digest":{"length":711,"function_hash":"307941837594799485192212106034451078774"},"id":"CURL-CVE-2018-16839-712de67c","signature_type":"Function","signature_version":"v1","target":{"function":"Curl_auth_create_plain_message","file":"lib/vauth/cleartext.c"},"deprecated":false},{"source":"https://github.com/curl/curl.git/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5","digest":{"threshold":0.9,"line_hashes":["323405508741544077634728860040609514286","223299084025646397460911356647096920855","237287603532771469400165005710548925177","294262302604077010113878498613345104589"]},"id":"CURL-CVE-2018-16839-c4e18881","signature_type":"Line","signature_version":"v1","target":{"file":"lib/vauth/cleartext.c"},"deprecated":false}]}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}