{"id":"CURL-CVE-2018-1000005","summary":"HTTP/2 trailer out-of-bounds read","details":"libcurl contains an out bounds read in code handling HTTP/2 trailers.\n\nIt was [reported](https://github.com/curl/curl/pull/2231) that reading an\nHTTP/2 trailer could mess up future trailers since the stored size was one\nbyte less than required.\n\nThe problem is that the code that creates HTTP/1-like headers from the HTTP/2\ntrailer data once appended a string like `\":\"` to the target buffer, while\nthis was recently changed to `\": \"` (a space was added after the colon) but\nthe associated math was not updated correspondingly.\n\nWhen accessed, the data is read out of bounds and causes either a crash or\nthat the (too large) data gets passed to the libcurl callback. This might lead\nto a denial-of-service situation or an information disclosure if someone has a\nservice that echoes back or uses the trailers for something.","aliases":["CVE-2018-1000005"],"modified":"2026-04-25T20:38:48.353925Z","published":"2018-01-24T08:00:00Z","database_specific":{"last_affected":"7.57.0","severity":"Low","package":"curl","affects":"both","CWE":{"id":"CWE-126","desc":"Buffer Over-read"},"www":"https://curl.se/docs/CVE-2018-1000005.html","URL":"https://curl.se/docs/CVE-2018-1000005.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.49.0"},{"fixed":"7.58.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"0761a51ee0551ad9e523cbdba24ce00d22fff9c1"},{"fixed":"fa3dbb9a147488a2943bda809c66fc497efe06cb"}]}],"versions":["7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:38:48Z","source":"https://curl.se/docs/CURL-CVE-2018-1000005.json","vanir_signatures":[{"target":{"file":"lib/http2.c"},"source":"https://github.com/curl/curl.git/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb","id":"CURL-CVE-2018-1000005-71fc75cd","digest":{"line_hashes":["282594126888140028228277749074138099553","40991569800935917858892231272272988584","95792618963566449240292544714322976924","197448932819711430286793144722352352410"],"threshold":0.9},"deprecated":false,"signature_type":"Line","signature_version":"v1"},{"target":{"file":"lib/http2.c","function":"on_header"},"source":"https://github.com/curl/curl.git/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb","id":"CURL-CVE-2018-1000005-d7fb97d0","digest":{"function_hash":"67385459130250674587968461156705047700","length":2561},"deprecated":false,"signature_type":"Function","signature_version":"v1"}]}}],"schema_version":"1.7.5","credits":[{"name":"Zhouyihai Ding","type":"FINDER"},{"name":"Zhouyihai Ding","type":"REMEDIATION_DEVELOPER"},{"name":"Ray Satiro","type":"OTHER"}]}