{“lastseen”:”2025-10-31T12:02:41″,”description”:”## Summary:\\n[In addvariable() (used by setvariable()), the code allocates memory for p-\\u003ename without space for a null-terminator and copies nlen bytes directly. Later, functions like varcontent() call strlen() on this name, assuming it is null-terminated. This can lead to out-of-bounds memory reads, causing crashes (DoS) or potential information leakage, depending on the runtime context. The issue affects curl\u2019s variable management code and can be triggered via normal usage of –variable or internal API calls.]\\n\\n[No AI assistance was used to find this issue or generate this report.]\\n\\n#source file\\nhttps:\/\/github.com\/curl\/curl\/blob\/master\/src\/var.c\\n#issue code\\n( p = calloc(1, sizeof(struct tool_var) + nlen);\\n if(p) {\\n memcpy(p-\\u003ename, name, nlen);)\\n\\n## Steps To Reproduce:\\n 1. [Clone the repo and enter it]\\ngit clone https:\/\/github.com\/curl\/curl.git\\ncd curl\\nCFLAGS=\\”-fsanitize=address,undefined -g -O1\\” .\/configure\\nmake -j$(nproc)\\n\\n 2. [Add a variable via setvariable() (e.g., \\”TESTVAR=value\\”).]\\n 3. [Lookup the variable using varcontent() or varexpand().]\\n 4. [Observe crash or out-of-bounds read via ASAN\/UBSAN logs]\\n\\n#issue code picture location with image\\n#F4950584\\n\\n## Impact\\n\\naddvariable() fails to NUL\u2011terminate stored variable names, so subsequent calls to strlen() can read past the allocated buffer and cause an immediate program crash. This results in an availability impact (easy DoS if the code path is reachable), and the out\u2011of\u2011bounds read may also expose adjacent memory, creating a potential confidentiality issue. While this bug alone is unlikely to enable remote code execution, it increases overall exploitability when combined with other vulnerabilities. Triage severity should be considered Medium, escalating to High if an information leak can be demonstrated.”,”published”:”2025-10-30T16:55:52″,”modified”:”2025-10-31T11:35:52″,”type”:”hackerone”,”title”:”curl: Buffer over-read,, Missing NUL termination in addvariable() causes undefined behavior”,”source”:””,”references”:””,”id”:”H1:3406123″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3406123″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-31T12:02:41″,”description”:”## Summary:\\n[In addvariable() (used by setvariable()), the code allocates memory for p-\\u003ename without space for a null-terminator and copies nlen bytes directly. Later, functions like…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-24246","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n