{"id":"CURL-CVE-2019-3823","summary":"SMTP end-of-response out-of-bounds read","details":"libcurl contains a heap out-of-bounds read in the code handling the\nend-of-response for SMTP.\n\nIf the buffer passed to `smtp_endofresp()` is not null terminated and contains\nno character ending the parsed number, and `len` is set to 5, then the\n`strtol()` call reads beyond the allocated buffer. The read content is not\nreturned to the caller.","aliases":["CVE-2019-3823"],"modified":"2026-04-25T20:38:45.128282Z","published":"2019-02-06T08:00:00Z","database_specific":{"package":"curl","affects":"both","severity":"Low","CWE":{"id":"CWE-125","desc":"Out-of-bounds Read"},"last_affected":"7.63.0","URL":"https://curl.se/docs/CVE-2019-3823.json","www":"https://curl.se/docs/CVE-2019-3823.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.34.0"},{"fixed":"7.64.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"2766262a68688c1dd8143f9c4be84b46c408b70a"},{"fixed":"39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484"}]}],"versions":["7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0"],"database_specific":{"vanir_signatures":[{"id":"CURL-CVE-2019-3823-5d016fd5","signature_type":"Function","signature_version":"v1","digest":{"length":557,"function_hash":"166416251957804652761319498324214462375"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484","target":{"file":"lib/smtp.c","function":"smtp_endofresp"}},{"id":"CURL-CVE-2019-3823-e149f9eb","signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["42064024752947728907032929215875540612","210885907586175489899582649544801291968","52075376533669850386362661131930089864","331136045233207354496618669619317209087","269779084420141583264101229728341459842","157649116849806821314090604315732292019","53212997522191032078672203626269152254"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484","target":{"file":"lib/smtp.c"}}],"source":"https://curl.se/docs/CURL-CVE-2019-3823.json","vanir_signatures_modified":"2026-04-25T20:38:45Z"}}],"schema_version":"1.7.5","credits":[{"name":"Brian Carpenter (Geeknik Labs)","type":"FINDER"},{"name":"Daniel Gustafsson","type":"REMEDIATION_DEVELOPER"}]}