LOWCVE-2016-8622CVSS 3.7

CVE-2016-8622: Heap Overflow in libcurl 7.51.0

Platform

Component

curl

Fixed in

7.51.1

AI Confidence: highNVDReviewed: May 2026

View on NVD

Save

CVE-2016-8622 describes a heap overflow vulnerability discovered in libcurl versions 7.51.0 through 7.51.0. This flaw arises from an issue in the URL percent-encoding decode function, curleasyunescape, which can lead to out-of-bounds writes when handling specially crafted URLs. The vulnerability has been assigned a CVSS score of 3.7 (LOW). A patch is available in libcurl version 7.51.0.

Impact and Attack Scenarios

An attacker could exploit this vulnerability by sending a specially crafted URL to an application using the vulnerable version of libcurl. The crafted URL would trigger the out-of-bounds write in the curleasyunescape function, potentially overwriting critical data in the heap. This could lead to a denial-of-service (DoS) condition, causing the application to crash. In a worst-case scenario, an attacker might be able to leverage this overflow to execute arbitrary code, although this would require further exploitation and is considered less likely given the LOW CVSS score. The blast radius is limited to the application using libcurl; however, widespread use of libcurl means many applications could be affected.

Exploitation Context

CVE-2016-8622 was publicly disclosed on July 31, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

CVSS Vector

Affected Software

Componentcurl

VendorThe Curl Project

Affected rangeFixed in

7.51.0 – 7.51.07.51.1

Weakness Classification (CWE)

CWE-190 CWE-122

Timeline

Reserved2016-10-12
Published2018-07-31
Modified2026-04-15

Mitigation and Workarounds

The primary mitigation for CVE-2016-8622 is to upgrade to libcurl version 7.51.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation to sanitize URLs before they are processed by libcurl. Specifically, limit the length of URLs and carefully examine percent-encoded characters. Web application firewalls (WAFs) can be configured to detect and block requests containing suspicious URL patterns. While no specific Sigma or YARA rules exist for this vulnerability, monitoring for unexpected application crashes or memory corruption errors related to libcurl can provide early detection.

How to fix

Update to version 7.51.0 or later of libcurl to mitigate the vulnerability. This update fixes a buffer overflow in the URL percent-encoding decoding function, preventing potential arbitrary code execution.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2016-8622 — Heap Overflow in libcurl 7.51.0?

CVE-2016-8622 is a heap overflow vulnerability in libcurl versions 7.51.0–7.51.0, caused by improper URL percent-encoding decoding. It can lead to out-of-bounds writes and potential DoS.

Am I affected by CVE-2016-8622 in libcurl 7.51.0?

You are affected if your application uses libcurl version 7.51.0 or earlier. Check your libcurl version and upgrade if necessary.

How do I fix CVE-2016-8622 in libcurl 7.51.0?

Upgrade to libcurl version 7.51.0 or later. This version includes a patch that resolves the heap overflow vulnerability.

Is CVE-2016-8622 being actively exploited?

There is no current evidence of active exploitation campaigns targeting CVE-2016-8622.

Where can I find the official libcurl advisory for CVE-2016-8622?

Refer to the libcurl security advisory: https://curl.se/security/advisories/