Vulnerability

CVE-2016-7167

Medium· 9.8CVSS9.8EPSS2%

.rules3/5

curl/libcurl: curl escape and unescape integer overflows

The four libcurl functions `curl_escape()`, `curl_easy_escape()`, `curl_unescape` and `curl_easy_unescape` perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. (The functions having names without "easy" being the deprecated versions of the others.) The provided string length arguments were not properly checked and due to arithmetic in the functions, passing in the length `0xffffffff` (2^32-1 or `UINT_MAX` or even -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into. The use of 'int' for this input type in the API is of course unwise but has remained so in order to maintain the API over the years.

Threat signal

98/100

Severe

Severity

medium

CVSS

9.8

EPSS

Active

CVSS

v3.0via NVDOpen in FIRST calculator →

9.8/ 10CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNetworkExploitable remotely over the internet — no local access needed.
Attack ComplexityLowNo special conditions — exploit works reliably.
Privileges RequiredNoneUnauthenticated — no credentials needed.
User InteractionNoneFully automated — no victim action needed.
ScopeUnchangedImpact contained to the vulnerable component.
Confidentiality ImpactHighTotal disclosure of sensitive data.
Integrity ImpactHighTotal compromise of integrity — full data modification possible.
Availability ImpactHighTotal loss of availability — full DoS possible.

EPSS

Exploit prediction · 30-day horizonFIRST.org →

2.26%

probability of exploitation in next 30 days

p85

higher than 85% of all CVEs

3-day trend↑ 0pp

Mid-pack — moderate exploitation likelihood.

Vendor VEX

No VEX statements published for CVE-2016-7167. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.

SSVCTrack

Total impact on non-trivial mission systems

exploitation: none
automatable: yes
impact: total
mission: support

Lifecycle

2016-09-14Published
2026-05-19Last modified2 sources

References

https://curl.se/docs/CVE-2016-7167.html

No source-event history recorded yet. New revisions will appear here as ingestors re-fetch this CVE.