curl / Docs / Security Problems / NTLM type-2 out-of-bounds buffer read

NTLM type-2 out-of-bounds buffer read

Project curl Security Advisory, February 6th 2019 - Permalink


libcurl contains a heap buffer out-of-bounds read flaw.

The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability.

Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

We are not aware of any exploit of this flaw.


This bug was introduced in commit 86724581b6c, January 2014.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-16890 to this issue.

CWE-125: Out-of-bounds Read

Severity: 5.3 (Medium)


libcurl is used by many applications, but not always advertised as such.


A patch for CVE-2018-16890


We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl to version 7.64.0

B - Apply the patch to your version and rebuild

C - Turn off NTLM authentication


It was reported to the curl project on December 30, 2018. We contacted distros@openwall on January 28.

curl 7.64.0 was released on February 6 2019, coordinated with the publication of this advisory.


Reported by Wenxiang Qian of Tencent Blade Team. Patch by Daniel Stenberg.

Thanks a lot!