Description
# Summary:
A heap buffer overflow vulnerability exists in the TFTP implementation of libcurl. The vulnerability is triggered when a malicious TFTP server sends an OACK (Option acknowledgment) packet with a blksize option that is larger than the default block size (512 bytes). libcurl updates its internal block size variable but fails to reallocate the receive and send buffers (rpacket and spacket). When the application subsequently receives data (in tftp_rx) or sends data (in tftp_tx) using the larger block size, it writes past the end of the allocated buffer, leading to a heap buffer overflow.
# Affected version
**curl 8.18.0-DEV** (based on LIBCURL_VERSION in include/curl/curlver.h) Platform: Windows (reproduced on)
# Steps To Reproduce:
1. Save the provided reproduction script as tftp_repro.py.
2. Run the script: python tftp_repro.py. This starts a malicious TFTP server on port 6969.
3. In another terminal, run a curl command to fetch a file from this server: curl tftp://localhost:6969/test (Note: Ensure you are using a curl build that includes this vulnerable code. If testing with a system curl, it might not be vulnerable or might be a different version).
4. The server will send an OACK with blksize=2048 and then a DATA packet of 2048 bytes.
5. The curl client will crash or exhibit undefined behavior due to the heap overflow.
# Supporting Material/References:
Vulnerable Code Location: **lib/tftp.c**, function: **tftp_parse_option_ack**
updates **state->blksize** without reallocating **state->spacket.data** and **state->rpacket.data**.
Reproduction Script: **tftp_repro.py**
## Impact
# Summary:
This vulnerability allows a malicious TFTP server to cause a heap buffer overflow on the client.
**Remote Code Execution (RCE)**: By carefully crafting the payload in the DATA packet, an attacker could overwrite critical heap metadata or function pointers, potentially leading to arbitrary code execution on the victim's machine with the privileges of the curl process.
**Denial of Service (DoS)**: The overflow can corrupt memory structures, causing the curl application to crash or behave unpredictably, leading to a denial of service.
## Impact
## Summary:
This vulnerability allows a malicious TFTP server to cause a heap buffer overflow on the client.
**Remote Code Execution (RCE)**: By carefully crafting the payload in the DATA packet, an attacker could overwrite critical heap metadata or function pointers, potentially leading to arbitrary code execution on the victim's machine with the privileges of the curl process.
**Denial of Service (DoS)**: The overflow can corrupt memory structures, causing the curl application to crash or behave unpredictably, leading to a denial of service.
A heap buffer overflow vulnerability exists in the TFTP implementation of libcurl. The vulnerability is triggered when a malicious TFTP server sends an OACK (Option acknowledgment) packet with a blksize option that is larger than the default block size (512 bytes). libcurl updates its internal block size variable but fails to reallocate the receive and send buffers (rpacket and spacket). When the application subsequently receives data (in tftp_rx) or sends data (in tftp_tx) using the larger block size, it writes past the end of the allocated buffer, leading to a heap buffer overflow.
# Affected version
**curl 8.18.0-DEV** (based on LIBCURL_VERSION in include/curl/curlver.h) Platform: Windows (reproduced on)
# Steps To Reproduce:
1. Save the provided reproduction script as tftp_repro.py.
2. Run the script: python tftp_repro.py. This starts a malicious TFTP server on port 6969.
3. In another terminal, run a curl command to fetch a file from this server: curl tftp://localhost:6969/test (Note: Ensure you are using a curl build that includes this vulnerable code. If testing with a system curl, it might not be vulnerable or might be a different version).
4. The server will send an OACK with blksize=2048 and then a DATA packet of 2048 bytes.
5. The curl client will crash or exhibit undefined behavior due to the heap overflow.
# Supporting Material/References:
Vulnerable Code Location: **lib/tftp.c**, function: **tftp_parse_option_ack**
updates **state->blksize** without reallocating **state->spacket.data** and **state->rpacket.data**.
Reproduction Script: **tftp_repro.py**
## Impact
# Summary:
This vulnerability allows a malicious TFTP server to cause a heap buffer overflow on the client.
**Remote Code Execution (RCE)**: By carefully crafting the payload in the DATA packet, an attacker could overwrite critical heap metadata or function pointers, potentially leading to arbitrary code execution on the victim's machine with the privileges of the curl process.
**Denial of Service (DoS)**: The overflow can corrupt memory structures, causing the curl application to crash or behave unpredictably, leading to a denial of service.
## Impact
## Summary:
This vulnerability allows a malicious TFTP server to cause a heap buffer overflow on the client.
**Remote Code Execution (RCE)**: By carefully crafting the payload in the DATA packet, an attacker could overwrite critical heap metadata or function pointers, potentially leading to arbitrary code execution on the victim's machine with the privileges of the curl process.
**Denial of Service (DoS)**: The overflow can corrupt memory structures, causing the curl application to crash or behave unpredictably, leading to a denial of service.
Basic Information
ID
H1:3444904
Published
Nov 29, 2025 at 17:06
Modified
Dec 1, 2025 at 07:41