{"id":"CURL-CVE-2018-14618","summary":"NTLM password overflow via integer overflow","details":"libcurl contains a buffer overrun in the NTLM authentication code.\n\nThe internal function `Curl_ntlm_core_mk_nt_hash` multiplies the `length` of\nthe password by two (SUM) to figure out how large temporary storage area to\nallocate from the heap.\n\nThe `length` value is then subsequently used to iterate over the password and\ngenerate output into the allocated storage buffer. On systems with a 32-bit\n`size_t`, the math to calculate SUM triggers an integer overflow when the\npassword length exceeds 2GB (2^31 bytes). This integer overflow usually causes\na tiny buffer to actually get allocated instead of the intended huge one,\nmaking the use of that buffer end up in a heap buffer overflow.\n\n(This bug is almost identical to\n[CVE-2017-8816](https://curl.se/docs/CVE-2017-8816.html).)","aliases":["CVE-2018-14618"],"modified":"2025-11-12T00:50:45Z","published":"2018-09-05T08:00:00Z","database_specific":{"package":"curl","severity":"High","last_affected":"7.61.0","affects":"both","www":"https://curl.se/docs/CVE-2018-14618.html","URL":"https://curl.se/docs/CVE-2018-14618.json","CWE":{"id":"CWE-131","desc":"Incorrect Calculation of Buffer Size"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.15.4"},{"fixed":"7.61.1"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"be285cde3f52571087816759220a68cb994d9307"},{"fixed":"57d299a499155d4b327e341c6024e293b0418243"}]}],"versions":["7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/57d299a499155d4b327e341c6024e293b0418243","signature_type":"Line","target":{"file":"lib/curl_ntlm_core.c"},"signature_version":"v1","id":"CURL-CVE-2018-14618-98a98d12","digest":{"line_hashes":["308639007250509123190976279093395161667","22425808840478996378096397749848053213","180330362882211631427711985805115613750","169213246600422826387397555860516277626","71393262281816378382005532163113147318"],"threshold":0.9},"deprecated":false},{"source":"https://github.com/curl/curl.git/commit/57d299a499155d4b327e341c6024e293b0418243","signature_type":"Function","target":{"function":"Curl_ntlm_core_mk_nt_hash","file":"lib/curl_ntlm_core.c"},"signature_version":"v1","id":"CURL-CVE-2018-14618-b9807594","digest":{"length":1784,"function_hash":"218596901524376433772706707277383241298"},"deprecated":false}],"source":"https://curl.se/docs/CURL-CVE-2018-14618.json"}}],"schema_version":"1.7.3","credits":[{"name":"Zhaoyang Wu","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}