{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2016-4802",
  "aliases": [
    "CVE-2016-4802"
  ],
  "summary": "Windows DLL hijacking",
  "modified": "2026-05-19T11:21:50.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2016-4802.json",
    "www": "https://curl.se/docs/CVE-2016-4802.html",
    "CWE": {
      "id": "CWE-94",
      "desc": "Improper Control of Generation of Code ('Code Injection')"
    },
    "last_affected": "7.49.0",
    "severity": "High"
  },
  "published": "2016-05-30T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.11.1"},
             {"fixed": "7.49.1"}
           ]
        }      ],
      "versions": [
        "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", 
        "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", 
        "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", 
        "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", 
        "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", 
        "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", 
        "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", 
        "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", 
        "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", 
        "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", 
        "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", 
        "7.11.1"
      ]
    }
  ],
  "credits": [
    {
      "name": "Guohui from Huawei WeiRan Labs",
      "type": "FINDER"
    },
    {
      "name": "Steve Holme",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Stefan Kanthak",
      "type": "OTHER"
    },
    {
      "name": "Jay Satiro",
      "type": "OTHER"
    }
  ],
  "details": "libcurl would load Windows system DLLs in a manner that may make it vulnerable\nto a DLL hijacking (aka binary planting) attack in certain configurations.\n\nlibcurl has a unified code base that builds and runs on a multitude of\ndifferent versions of Windows. To make that possible, when libcurl is built\nwith SSPI or telnet is used, it dynamically loads some of the necessary system\nDLLs at runtime by calling `LoadLibrary()`. No path is specified for these\nDLLs.\n\nTo find a DLL when no path is specified `LoadLibrary()` follows [DLL search\norder](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586.aspx#search_order_for_desktop_applications)\nto load it. If it is a \"known DLL\" no searching is done, the system copy is\nused. If it is not a \"known DLL\": The application directory is searched first.\nThe current directory is searched next, if DLL safe search mode is not\nenabled. The system directory is searched next.\n\nThe 3 system DLLs libcurl loads dynamically are `security.dll`, `secur32.dll`\nand `ws2_32.dll` (a \"known DLL\" when installed). These DLLs may not be present\non some versions of Windows, which is why they are loaded\ndynamically. Depending on a number of factors outlined in the DLL search order\ndocument it may be possible for an attacker to plant a DLL of the same name in\nthe user's current directory, application directory or other directory in the\nDLL search order, thereby possibly causing it to be loaded first.\n\n**Recent versions of Windows include all 3 of those dynamically loaded system\nDLLs and also enable safe DLL search mode by default. Therefore in such a case\n`ws2_32.dll` could not be planted, and `security.dll` or `secur32.dll` could\nonly be planted in the application directory.**\n\nTo address this issue we have changed libcurl so that any system DLL it\ndynamically loads in Windows is done in the most secure way available.\n\nNote if an attacker has the ability to write new files to your application\ndirectory they can likely still plant DLLs to be loaded in any case, load-time\nor runtime. This is by design in Windows DLL loading (refer to the DLL\nsearch order doc). For example it may be possible to override DLL search paths\nby planting an app.exe.local file or possibly a fake manifest. There is\nnothing we can do to prevent against this. We advise you to guard write\npermissions on your application directory.\n\n**Also note it is may still be possible for planting attacks to be done\nagainst load-time DLLs used by libcurl and the curl tool. This is because\nWindows loads those DLLs and their dependencies without specifying a\npath. There is nothing we can do to fix this, it is endemic in the design of\nWindows. We advise you to guard write permissions on your application\ndirectory.**"
}