CVE-2019-3822

Exp

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Published: 2019-02-06 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2019-3822 is rated High Exploit Risk (82.7/100): CVSS Critical severity, with high exploitation likelihood (EPSS 12.77%, 96th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2019-3822

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2019-3822

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 18.52% 12.77% -5.75%
2 2026-05-29 17.58% 18.52% +0.94%
3 2026-05-26 17.58%

Full EPSS history (35 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2019-3822

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 5.9 [email protected]
7.1 3.0 HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
2.8 4.2 [email protected]
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 6.4 [email protected]

Weakness enumeration for CVE-2019-3822

OS Trackers for CVE-2019-3822

vendor priority summary link
alpine critical CVE-2019-3822: 1 source package rows (curl); 10 state rows across 10 repos (3.10-main, 3.11-main, 3.12-main, 3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 10, open 0. https://security.alpinelinux.org/vuln/CVE-2019-3822
debian not yet assigned CVE-2019-3822 not yet assigned priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2019-3822
gentoo normal CVE-2019-3822: 1 GLSA(s) (201903-03), 1 atom(s) (net-misc/curl); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2019-3822
redhat medium https://access.redhat.com/security/cve/CVE-2019-3822
suse medium CVE-2019-3822 severity moderate: SUSE including 359 source package names (0.1.0:libcurl4-7.60.0-3.17.1, 0.1.75:libcurl4-7.60.0-3.17.1, …), 439 product×package rows across 98 product lines (Container caasp/v4/389-ds, Container caasp/v4/busybox, … (98 product lines)): Fixed 267, Known Affected 157, Known Not Affected 15. https://www.suse.com/security/cve/CVE-2019-3822/
ubuntu medium CVE-2019-3822 medium priority: Ubuntu including 1 source packages (curl), 5 status rows across 5 suites (bionic, cosmic, trusty, upstream, xenial): released 4, not-affected 1. https://ubuntu.com/security/CVE-2019-3822

Affected software / configurations for CVE-2019-3822

Vendor Product Version Raw CPE
haxx libcurl >= 7.36.0, < 7.64.0 cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
canonical ubuntu_linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 18.10 cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
netapp active_iq_unified_manager >= 7.3 cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
netapp active_iq_unified_manager >= 9.5 cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vsphere:*:*
netapp clustered_data_ontap cpe:2.3:a:netapp:clustered_data_ontap:*:*:*:*:*:*:*:*
netapp oncommand_insight cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
netapp oncommand_workflow_automation cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
netapp snapcenter cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
siemens sinema_remote_connect_client <= 2.0 cpe:2.3:a:siemens:sinema_remote_connect_client:*:*:*:*:*:*:*:*
oracle communications_operations_monitor 3.4 cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
oracle communications_operations_monitor 4.0 cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
oracle enterprise_manager_ops_center 12.3.3 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
oracle enterprise_manager_ops_center 12.4.0 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
oracle http_server 12.2.1.3.0 cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
oracle mysql_server <= 5.7.26 cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
oracle mysql_server >= 5.7.27, <= 8.0.15 cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
oracle secure_global_desktop 5.4 cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
oracle services_tools_bundle 19.2 cpe:2.3:a:oracle:services_tools_bundle:19.2:*:*:*:*:*:*:*
redhat enterprise_linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

References for CVE-2019-3822

URL Tags
http://www.securityfocus.com/bid/106950 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:3701 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822 Exploit Issue Tracking Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf Third Party Advisory
https://curl.haxx.se/docs/CVE-2019-3822.html Patch Vendor Advisory
https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E
https://security.gentoo.org/glsa/201903-03 Third Party Advisory
https://security.netapp.com/advisory/ntap-20190315-0001/ Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20190719-0004/ Third Party Advisory
https://support.f5.com/csp/article/K84141449 Third Party Advisory
https://support.f5.com/csp/article/K84141449?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3882-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4386 Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch Third Party Advisory
cvelogic Threat Intelligence