In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
Conclusion & alert: CVE-2022-42916 is rated Low Risk (35/100): CVSS High severity, with low exploitation likelihood (EPSS 0.05%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-19 | 0.12% | 0.05% | -0.08% |
| 2 | 2026-03-04 | 0.22% | 0.12% | -0.10% |
| 3 | 2026-03-01 | — | 0.22% | — |
Full EPSS history (29 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2022-42916: 1 source package rows (curl); 42 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 35. | https://security.alpinelinux.org/vuln/CVE-2022-42916 |
debian
|
not yet assigned | CVE-2022-42916 not yet assigned priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2022-42916 |
gentoo
|
high | CVE-2022-42916: 1 GLSA(s) (202212-01), 1 atom(s) (net-misc/curl); latest impact high. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2022-42916 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2022-42916 |
suse
|
high | CVE-2022-42916 severity important: SUSE including 363 source package names (0.58.0.1.147:libcurl4-7.79.1-150400.5.9.1, 0.58.0.17.143:curl-7.79.1-150400.5.9.1, …), 821 product×package rows across 260 product lines (Container bci/bci-init, Container bci/dotnet-aspnet, … (260 product lines)): Fixed 600, Known Affected 128, Known Not Affected 93. | https://www.suse.com/security/cve/CVE-2022-42916/ |
ubuntu
|
medium | CVE-2022-42916 medium priority: Ubuntu including 1 source packages (curl), 7 status rows across 7 suites (bionic, focal, jammy, kinetic, trusty, upstream, xenial): not-affected 4, released 2, needs-triage 1. | https://ubuntu.com/security/CVE-2022-42916 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| haxx | curl | >= 7.77.0, < 7.86.0 | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 35 | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
| fedoraproject | fedora | 36 | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* |
| fedoraproject | fedora | 37 | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
| apple | macos | < 12.6.3 | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
| apple | macos | >= 13.0, < 13.2 | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
| splunk | universal_forwarder | >= 8.2.0, < 8.2.12 | cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* |
| splunk | universal_forwarder | >= 9.0.0, < 9.0.6 | cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* |
| splunk | universal_forwarder | 9.1.0 | cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* |