libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
Conclusion & alert: CVE-2019-3822 is rated High Exploit Risk (82.7/100): CVSS Critical severity, with high exploitation likelihood (EPSS 12.77%, 96th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 18.52% | 12.77% | -5.75% |
| 2 | 2026-05-29 | 17.58% | 18.52% | +0.94% |
| 3 | 2026-05-26 | — | 17.58% | — |
Full EPSS history (35 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.1 | 3.0 | HIGH |
|
2.8 | 4.2 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
critical | CVE-2019-3822: 1 source package rows (curl); 10 state rows across 10 repos (3.10-main, 3.11-main, 3.12-main, 3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 10, open 0. | https://security.alpinelinux.org/vuln/CVE-2019-3822 |
debian
|
not yet assigned | CVE-2019-3822 not yet assigned priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2019-3822 |
gentoo
|
normal | CVE-2019-3822: 1 GLSA(s) (201903-03), 1 atom(s) (net-misc/curl); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2019-3822 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2019-3822 |
suse
|
medium | CVE-2019-3822 severity moderate: SUSE including 359 source package names (0.1.0:libcurl4-7.60.0-3.17.1, 0.1.75:libcurl4-7.60.0-3.17.1, …), 439 product×package rows across 98 product lines (Container caasp/v4/389-ds, Container caasp/v4/busybox, … (98 product lines)): Fixed 267, Known Affected 157, Known Not Affected 15. | https://www.suse.com/security/cve/CVE-2019-3822/ |
ubuntu
|
medium | CVE-2019-3822 medium priority: Ubuntu including 1 source packages (curl), 5 status rows across 5 suites (bionic, cosmic, trusty, upstream, xenial): released 4, not-affected 1. | https://ubuntu.com/security/CVE-2019-3822 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| haxx | libcurl | >= 7.36.0, < 7.64.0 | cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 14.04 | cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 16.04 | cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 18.04 | cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 18.10 | cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| netapp | active_iq_unified_manager | >= 7.3 | cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:* |
| netapp | active_iq_unified_manager | >= 9.5 | cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vsphere:*:* |
| netapp | clustered_data_ontap | — | cpe:2.3:a:netapp:clustered_data_ontap:*:*:*:*:*:*:*:* |
| netapp | oncommand_insight | — | cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* |
| netapp | oncommand_workflow_automation | — | cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* |
| netapp | snapcenter | — | cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* |
| siemens | sinema_remote_connect_client | <= 2.0 | cpe:2.3:a:siemens:sinema_remote_connect_client:*:*:*:*:*:*:*:* |
| oracle | communications_operations_monitor | 3.4 | cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* |
| oracle | communications_operations_monitor | 4.0 | cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:* |
| oracle | enterprise_manager_ops_center | 12.3.3 | cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* |
| oracle | enterprise_manager_ops_center | 12.4.0 | cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:* |
| oracle | http_server | 12.2.1.3.0 | cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:* |
| oracle | mysql_server | <= 5.7.26 | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
| oracle | mysql_server | >= 5.7.27, <= 8.0.15 | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
| oracle | secure_global_desktop | 5.4 | cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:* |
| oracle | services_tools_bundle | 19.2 | cpe:2.3:a:oracle:services_tools_bundle:19.2:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |