{"id":"CURL-CVE-2016-9586","summary":"printf floating point buffer overflow","details":"libcurl's implementation of the printf() functions triggers a buffer overflow\nwhen doing a large floating point output. The bug occurs when the conversion\noutputs more than 255 bytes.\n\nThe flaw happens because the floating point conversion is using system\nfunctions without the correct boundary checks.\n\nThe functions have been documented as deprecated for a long time and users are\ndiscouraged from using them in \"new programs\" as they are planned to get\nremoved at a future point. Since the functions are present and there is\nnothing preventing users from using them, we expect there to be a certain\namount of existing users in the wild.\n\nIf there are any application that accepts a format string from the outside\nwithout necessary input filtering, it could allow remote attacks.\n\nThis flaw does not exist in the command line tool.","aliases":["CVE-2016-9586"],"modified":"2026-04-25T20:38:51.629606Z","published":"2016-12-21T08:00:00Z","database_specific":{"package":"curl","last_affected":"7.51.0","affects":"lib","severity":"Medium","URL":"https://curl.se/docs/CVE-2016-9586.json","CWE":{"desc":"Stack-based Buffer Overflow","id":"CWE-121"},"www":"https://curl.se/docs/CVE-2016-9586.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"5.4"},{"fixed":"7.52.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ae1912cb0d494b48d514d937826c9fe83ec96c4d"},{"fixed":"3ab3c16db6a5674f53cf23d56512a405fde0b2c9"}]}],"versions":["7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11","5.10","5.9.1","5.9","5.8","5.7.1","5.7","5.5.1","5.5","5.4"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:38:51Z","vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"211114519208650055076344136219458625700","length":323},"id":"CURL-CVE-2016-9586-07dac4b2","signature_type":"Function","deprecated":false,"target":{"file":"tests/libtest/lib557.c","function":"test"},"source":"https://github.com/curl/curl.git/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9"},{"signature_version":"v1","digest":{"function_hash":"82525334694897781993033487228747233605","length":6389},"id":"CURL-CVE-2016-9586-08bbb4f3","signature_type":"Function","deprecated":false,"target":{"file":"lib/mprintf.c","function":"dprintf_formatf"},"source":"https://github.com/curl/curl.git/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9"},{"signature_version":"v1","digest":{"function_hash":"158092856703675128111011926686898692697","length":199},"id":"CURL-CVE-2016-9586-22a58612","signature_type":"Function","deprecated":false,"target":{"file":"tests/libtest/lib557.c","function":"string_check"},"source":"https://github.com/curl/curl.git/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9"},{"signature_version":"v1","digest":{"line_hashes":["11942832686748214896907900089257001896","187836274213166949671600154489639541411","244336826605226088052228124692896292870","42210730574766680898539681717202166736","251683723271637213601418574679579673746","308582535722003832416607375762091633384","234365861550045145542572040726806183906","205550063925122068846378699852642390812","67543373166406810932547016329833398560","241055953538366715003672176398199147070","184862927678874113048972209665838713593","131036052662979682003760770235705582296","96386588243461103982784516336428383158","73978368683934006055261089606236351020","229964440557538101366200101353759330548","107814566338911769947246472166708099771","334242855271045965851342897001345200639","225344294618582341479138702414062011525"],"threshold":0.9},"id":"CURL-CVE-2016-9586-56dff30c","signature_type":"Line","deprecated":false,"target":{"file":"tests/libtest/lib557.c"},"source":"https://github.com/curl/curl.git/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9"},{"signature_version":"v1","digest":{"line_hashes":["156012617521171491859622210993252571929","7043533830607274945968325990263287496","225234344143410581867937584660413251035","96020644983719261496204771660642445","269397246054553262311565052109789035609","43773477270171385802718807203159864549","182702567176549671859378276399217937375","231472290127339047421771802290010834102","134977637589444715520372942725818775661","271645683019475383237059571118842020482","28280782076946776838786719161119645932","155308288193608381153539509152521412256","18769001316071606284217903526740214749","30972264610339507505671856090470485886","115417979111539725306119236542594086821"],"threshold":0.9},"id":"CURL-CVE-2016-9586-80951bb3","signature_type":"Line","deprecated":false,"target":{"file":"lib/mprintf.c"},"source":"https://github.com/curl/curl.git/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9"}],"source":"https://curl.se/docs/CURL-CVE-2016-9586.json"}}],"schema_version":"1.7.5","credits":[{"name":"Daniel Stenberg","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}