Public Date:
1536013: CVE-2018-1000005 curl: Out-of-bounds read in code handling HTTP/2 trailers

The MITRE CVE dictionary describes this issue as:

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported ( that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

Find out more about CVE-2018-1000005 from the MITRE CVE dictionary dictionary and NIST NVD.


This flaw was introduced in curl-7.49.0. Therefore the versions of curl shipped with Red Hat Enterprise Linux 5, 6 and 7 and Red Hat Ceph Storage 2 are not affected by this flaw.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 4.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux httpd24-curl Not affected
Red Hat JBoss Core Services 1 curl Affected
Red Hat Enterprise Linux 7 curl Not affected
Red Hat Enterprise Linux 6 curl Not affected
Red Hat Enterprise Linux 5 curl Not affected
Red Hat Ceph Storage 2 curl Not affected
.NET Core 2.0 on Red Hat Enterprise Linux rh-dotnet20-curl Not affected
.NET Core 1.0 on Red Hat Enterprise Linux rh-dotnetcore10-curl Not affected
.NET Core 1.0 on Red Hat Enterprise Linux rh-dotnetcore11-curl Not affected


Red Hat would like to thank the Curl project for reporting this issue. Upstream acknowledges Zhouyihai Ding as the original reporter.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation