Vulnerability Description
The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Curl | >= 7.30.0, <= 7.51.0 |
| Microsoft | Windows Embedded Compact | - |
Related Weaknesses (CWE)
References
- https://curl.haxx.se/CVE-2016-9952.patchVendor Advisory
- https://curl.haxx.se/docs/adv_20161221C.htmlVendor Advisory
- https://curl.haxx.se/CVE-2016-9952.patchVendor Advisory
- https://curl.haxx.se/docs/adv_20161221C.htmlVendor Advisory
FAQ
What is CVE-2016-9953?
CVE-2016-9953 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive informati...
How severe is CVE-2016-9953?
CVE-2016-9953 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-9953?
Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Microsoft Windows Embedded Compact.