{"id":"CURL-CVE-2019-5481","summary":"FTP-KRB double free","details":"libcurl can be told to use kerberos over FTP to a server, as set with the\n`CURLOPT_KRBLEVEL` option.\n\nDuring such kerberos FTP data transfer, the server sends data to curl in\nblocks with the 32-bit size of each block first and then that amount of data\nimmediately following.\n\nA malicious or just broken server can claim to send a large block and if\nby doing that it makes curl's subsequent call to `realloc()` to fail, curl\nwould then misbehave in the exit path and double free the memory.\n\nIn practical terms, an up to 4 GB memory area may well be fine to allocate\non a modern 64-bit system but on 32-bit systems it fails.\n\nKerberos FTP is a rarely used protocol with curl. Also, Kerberos\nauthentication is usually only attempted and used with servers that the client\nhas a previous association with.","aliases":["CVE-2019-5481"],"modified":"2025-11-12T00:50:45Z","published":"2019-09-11T08:00:00Z","database_specific":{"URL":"https://curl.se/docs/CVE-2019-5481.json","issue":"https://hackerone.com/reports/686823","severity":"Medium","affects":"both","award":{"amount":"200","currency":"USD"},"package":"curl","last_affected":"7.65.3","www":"https://curl.se/docs/CVE-2019-5481.html","CWE":{"desc":"Double Free","id":"CWE-415"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.52.0"},{"fixed":"7.66.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"0649433da53c7165f839e24e889e131e2894dd32"},{"fixed":"9069838b30fb3b48af0123e39f664cea683254a5"}]}],"versions":["7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2019-5481.json","vanir_signatures":[{"digest":{"length":572,"function_hash":"96396634766436962486186824206742436864"},"source":"https://github.com/curl/curl.git/commit/9069838b30fb3b48af0123e39f664cea683254a5","signature_type":"Function","id":"CURL-CVE-2019-5481-4acfb620","signature_version":"v1","deprecated":false,"target":{"function":"read_data","file":"lib/security.c"}},{"digest":{"threshold":0.9,"line_hashes":["125276924052840855915380710899870212822","191480086628784687049546312042565060666","149456929353650795858504597382427040306","9130101959543447349713849318245131968","120202765490244814700576512994178234660","110409134321296982669002614610987820110","104878278812958488640103651811755877156","300931236043868559594753071252185515812","296985849464696993397106380877422555584","206945651190738238742864264700656063172","37397681530750046010475776202275331065","91332757469882398262468708369555249277"]},"source":"https://github.com/curl/curl.git/commit/9069838b30fb3b48af0123e39f664cea683254a5","signature_type":"Line","id":"CURL-CVE-2019-5481-7a27c06c","signature_version":"v1","deprecated":false,"target":{"file":"lib/security.c"}}]}}],"schema_version":"1.7.3","credits":[{"name":"Thomas Vegas","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}