ALPINE-CVE-2018-1000005

ALPINE-CVE-2018-1000005 PUBLISHED CVSS 9.100000381469727 CRITICAL

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

Risk Scores

CVSS v3.0

9.100000381469727

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.4	curl	7.19.2-r0, 7.19.4-r0, 7.19.5-r0
Alpine:v3.7	curl	7.36.0-r0, 7.37.0-r0, 7.37.1-r0
Alpine:v3.6	curl	7.57.0-r0, 7.50.3-r1, 7.51.0-r0
Alpine:v3.5	curl	7.19.7-r1, 7.19.2-r1, 7.19.4-r0

Timeline

Jan 24, 2018 CVE Published
Nov 19, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2018-1000005 advisory

Open in Interactive Console →