Description
# Summary:
A potential Integer Underflow vulnerability was identified in the `setvariable` function within `src/var.c`. the flaw occurs during the calculation of the variable content length (`clen`) when a byte range is specified. specifically, the code fails to validate if `startoffset` is greater than `endoffset` before performing subtraction, leading to a massive wrapped-around value when cast to `size_t`.
This leads to an inconsistent state where `clen` holds an impossibly large value, causing memory corruption when passed to downstream functions
URL : https://github.com/curl/curl/blob/master/src/var.c#L375
function: `setvariable()`
file :` src/var.c:480`
`clen = (size_t)(endoffset - startoffset) + 1;`
**Proof of Concept**
using a debugger (GDB) to simulate the logic bypass:
set a breakpoint at `setvariable`
Manipulate the offsets:`set var startoffset = 100` `set var endoffset = 50`
Result: `clen` as `size_t`: `18446744073709551567`
{F5270811}
**Workarounds**
Add a sanity check to ensure `startoffset` does not exceed `endoffset` before calculation
## Impact
This massive `clen` value is subsequently passed to `addvariable()`, where it is used as a length parameter for memory operations. this can lead to:
Heap Buffer Overflow: attempting to copy data using an invalid length
Denial of Service : triggering an out-of-memory condition or a crash
A potential Integer Underflow vulnerability was identified in the `setvariable` function within `src/var.c`. the flaw occurs during the calculation of the variable content length (`clen`) when a byte range is specified. specifically, the code fails to validate if `startoffset` is greater than `endoffset` before performing subtraction, leading to a massive wrapped-around value when cast to `size_t`.
This leads to an inconsistent state where `clen` holds an impossibly large value, causing memory corruption when passed to downstream functions
URL : https://github.com/curl/curl/blob/master/src/var.c#L375
function: `setvariable()`
file :` src/var.c:480`
`clen = (size_t)(endoffset - startoffset) + 1;`
**Proof of Concept**
using a debugger (GDB) to simulate the logic bypass:
set a breakpoint at `setvariable`
Manipulate the offsets:`set var startoffset = 100` `set var endoffset = 50`
Result: `clen` as `size_t`: `18446744073709551567`
{F5270811}
**Workarounds**
Add a sanity check to ensure `startoffset` does not exceed `endoffset` before calculation
## Impact
This massive `clen` value is subsequently passed to `addvariable()`, where it is used as a length parameter for memory operations. this can lead to:
Heap Buffer Overflow: attempting to copy data using an invalid length
Denial of Service : triggering an out-of-memory condition or a crash
Basic Information
ID
H1:3523349
Published
Jan 25, 2026 at 00:02
Modified
Jan 26, 2026 at 07:38