{"vulnerability": "cve-2025-9086", "sightings": [{"uuid": "e7112c16-1640-448a-9e02-4c6cbe8d581e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/bagder.mastodon.social.ap.brid.gy/post/3lyhkfawzbps2", "content": "", "creation_timestamp": "2025-09-10T05:57:51.293828Z"}, {"uuid": "0827466d-0188-4a9f-a6e5-bc40be4f9a47", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/securitycipher.bsky.social/post/3lyhlnaa4hk2g", "content": "", "creation_timestamp": "2025-09-10T06:19:16.341525Z"}, {"uuid": "fc70ed5d-b3a6-4303-a78d-ad958d6b0ade", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lymrfqvytd2c", "content": "", "creation_timestamp": "2025-09-12T07:45:46.368139Z"}, {"uuid": "5558078e-af1b-426e-b7b1-960717b8d758", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://daniel.haxx.se/blog/2025/09/10/curl-8-16-0/", "content": "", "creation_timestamp": "2025-09-10T03:49:32.000000Z"}, {"uuid": "4518c170-6098-4646-a51e-4e4bdf43bea1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://seclists.org/oss-sec/2025/q3/160", "content": "", "creation_timestamp": "2025-09-10T03:55:35.000000Z"}, {"uuid": "744c7588-9d05-4792-bb33-1d7a5d036919", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3m62pvdyc4e27", "content": "", "creation_timestamp": "2025-11-20T12:01:02.633698Z"}, {"uuid": "7ac531bb-3340-48f7-9a64-f26f86fb3a3d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3lyhp2scxyw2i", "content": "", "creation_timestamp": "2025-09-10T07:20:32.677919Z"}, {"uuid": "d8704ea8-2d28-4ef5-954b-b6104f6c0def", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/nixpkgssecuritychanges.gerbet.me/post/3lykfclc5nq2j", "content": "", "creation_timestamp": "2025-09-11T09:03:55.745799Z"}, {"uuid": "3d26be9e-06dc-43d1-a08c-1c0b26226340", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3m5e3n6dbzy2t", "content": "", "creation_timestamp": "2025-11-11T12:00:54.243584Z"}, {"uuid": "d9124112-ee96-40a7-8a93-9f77c17943d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-06", "content": "", "creation_timestamp": "2026-02-12T11:00:00.000000Z"}, {"uuid": "3633a497-f582-4349-9b9a-d7592441d514", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3lynw3tmhws2i", "content": "", "creation_timestamp": "2025-09-12T18:42:24.632114Z"}, {"uuid": "6eec7e46-f52e-413a-add1-6600f05ff9bc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mcx3js57e62m", "content": "", "creation_timestamp": "2026-01-21T16:25:34.085391Z"}, {"uuid": "86bdab78-22d6-4e61-807f-7629a0b9c8a8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mboswfru5k2c", "content": "", "creation_timestamp": "2026-01-05T16:05:07.089726Z"}, {"uuid": "b124b02a-3f5f-46b6-83ef-237b22afdf2c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mdylqa653sh2", "content": "", "creation_timestamp": "2026-02-04T00:13:21.584071Z"}, {"uuid": "a4c6a152-6eb6-4cef-8b19-35e1d910aa8f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mbvwp635ox27", "content": "", "creation_timestamp": "2026-01-08T12:01:13.228018Z"}, {"uuid": "cb261cde-e7cc-45b2-ac1c-0c649d026714", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "Telegram/tekSf9DesmcKO4l7eOnKzE6eB5F-0xU9pnOpI7ixeynUA5uJ", "content": "", "creation_timestamp": "2025-09-19T03:28:55.000000Z"}, {"uuid": "4109666e-608b-485c-8f6a-0f26770eb568", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/bbcbc485-b88d-4831-b8e9-6e37e7bd9875", "content": "", "creation_timestamp": "2026-01-21T21:18:16.771453Z"}, {"uuid": "95c631ef-b73f-42ca-a5e7-31bdc58841be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mdfpkvapxc2e", "content": "", "creation_timestamp": "2026-01-27T12:01:21.730612Z"}, {"uuid": "c99e57d8-fdff-4a5e-a0c0-8b68edee6071", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/c5b7cfe4-31dc-48ad-9aad-8e8bd3c6bf83", "content": "", "creation_timestamp": "2025-12-16T06:48:31.589489Z"}, {"uuid": "4fd766f9-7fa4-4500-8023-2425c5f4e979", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "published-proof-of-concept", "source": "Telegram/Cc7Fs-N6rPWwOKa2kSVDmQbR12OA08yKYTZqXY9tAdJRLzI", "content": "", "creation_timestamp": "2026-01-05T04:00:51.000000Z"}, {"uuid": "5ae364b6-9506-4aea-8351-d04b07ecf071", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3ml6w2pvmdv2q", "content": "\ud83d\udd17 CVE : CVE-2025-11083, CVE-2025-12818, CVE-2025-38129, CVE-2025-38248, CVE-2025-39697, CVE-2025-39971, CVE-2025-40064, CVE-2025-64720, CVE-2025-65018, CVE-2025-66293, CVE-2025-68800, CVE-2025-69419, CVE-2025-71085, CVE-2025-9086, CVE-2026-23001, CVE-2026-23074, CVE-2026-23097", "creation_timestamp": "2026-05-06T14:30:33.185742Z"}, {"uuid": "ac436736-010f-471a-825b-f8f9b7addc69", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-9086", "type": "seen", "source": "https://gist.github.com/Caixa-git/b651dc90f3055319340ba3e6976fb35e", "content": "# Vulnerability Report: curl/libcurl PUSH_PROMISE Heap Buffer Over-read\n\n## Summary\n\nA heap buffer over-read vulnerability exists in curl's HTTP/2 implementation (`lib/http2.c` line 1489). When processing PUSH_PROMISE frames, the `on_header` callback uses `curl_maprintf(\"%s:%s\", ...)` to store header name:value pairs, but the `name` and `value` pointers provided by the nghttp2 library are **not guaranteed to be null-terminated**. The `%s` format specifier reads past the intended buffer boundary until a null byte is found, causing an out-of-bounds heap read.\n\n## Vulnerability Details\n\n### Bug Location\n\n**File:** `lib/http2.c` \u2014 line 1489  \n**Function:** `on_header()` (callback invoked by nghttp2 for each HTTP/2 header)  \n**Trigger:** PUSH_PROMISE frame processing\n\n### Vulnerable Code\n\n```c\n// line 1489 \u2014 BUG: name/value are NOT null-terminated\nh = curl_maprintf(\"%s:%s\", name, value);\n```\n\n### Root Cause\n\nThe `on_header` callback receives `name` and `value` as `const uint8_t *` pointers into nghttp2's internal HPACK decoding buffer. The nghttp2 API documentation explicitly documents length-limited parameters:\n\n```\ntypedef int (*nghttp2_on_header_callback)(\n    nghttp2_session *session,\n    const nghttp2_frame *frame,\n    const uint8_t *name,   // NOT null-terminated\n    size_t namelen,         // length provided separately\n    const uint8_t *value,  // NOT null-terminated\n    size_t valuelen,        // length provided separately\n    uint8_t flags,\n    void *userp\n);\n```\n\nUsing `%s` with a non-null-terminated buffer causes:\n1. **Heap memory leak** \u2014 contiguous heap data following the intended value is read into the header string\n2. **Potential crash** \u2014 reading across a memory page boundary into unmapped memory causes SIGSEGV\n3. **Information disclosure** \u2014 the over-read data is stored in `push_headers[]` and passed to the application's `CURLOPT_PUSHFUNCTION` callback\n\n### Correct Pattern (exists in same file)\n\nThe same function correctly handles non-null-terminated data in the trailer processing path (line 1500):\n\n```c\n// line 1500 \u2014 CORRECT: uses %.*s with explicit length\nCURL_TRC_CF(data_s, cf, \"[%d] trailer: %.*s: %.*s\",\n            stream->id, (int)namelen, name, (int)valuelen, value);\n```\n\nAnd in the non-PUSH header path (line 1502):\n\n```c\n// line 1502 \u2014 CORRECT: uses explicit length\nresult = Curl_dynhds_add(&stream->resp_trailers,\n                         (const char *)name, namelen,\n                         (const char *)value, valuelen);\n```\n\n### Fix\n\nReplace line 1489 with:\n\n```c\nh = curl_maprintf(\"%.*s:%.*s\", (int)namelen, name, (int)valuelen, value);\n```\n\n## Impact\n\n| Impact | Description |\n|--------|-------------|\n| **Information Disclosure** | Heap contents adjacent to the header value buffer are read and returned to the application through `curl_pushheader_bynum()` / `curl_pushheader_byname()` in the PUSH callback. This can leak sensitive heap data (session keys, TLS buffers, other connection data) to the application. |\n| **Denial of Service** | If the over-read crosses a page boundary into unmapped memory, the process crashes with SIGSEGV. |\n| **Data Corruption** | A malformed string may cause incorrect parsing of pushed headers by the application. |\n\n**Attack Vector:** A malicious or compromised HTTP/2 server sends a crafted PUSH_PROMISE frame. The attacker needs to be in control of the HTTP/2 server or have MITM capability (TLS interception).\n\n**CWE Classification:** CWE-125: Out-of-bounds Read  \n**C Mistake Category:** OVERREAD\n\n## Affected Versions\n\n- **Affected:** All versions of curl built with HTTP/2 support (nghttp2) that include PUSH_PROMISE handling\n- **First vulnerable:** commit introducing PUSH_PROMISE support in `on_header` callback\n- **Last vulnerable:** latest released version (the bug remains unpatched at time of report)\n\nThe vulnerability requires `CURLOPT_PUSHFUNCTION` to be set by the application for the heap data to be leaked to the caller. However, the buffer over-read itself occurs regardless \u2014 the heap data is read into `push_headers[]` memory regardless of whether the application registers a push callback.\n\n## Steps to Reproduce\n\n### Method 1: Code Analysis (Static)\n\nExamine `lib/http2.c` lines 1489 and 1500-1504 side by side:\n\n```\nLine 1489:   h = curl_maprintf(\"%s:%s\", name, value);                    \u2190 BUG\nLine 1500:   ... \"%.*s: %.*s\", (int)namelen, name, (int)valuelen, value  \u2190 CORRECT\nLine 1502-3: Curl_dynhds_add(..., name, namelen, value, valuelen);      \u2190 CORRECT\n```\n\nThe same function uses three different patterns for the same data. Only the PUSH_PROMISE path uses the unsafe `%s`.\n\n### Method 2: AddressSanitizer (Dynamic)\n\n1. Build curl with AddressSanitizer:\n   ```bash\n   mkdir build-asan && cd build-asan\n   cmake .. -DCMAKE_BUILD_TYPE=Debug \\\n            -DCMAKE_C_FLAGS=\"-fsanitize=address -fno-omit-frame-pointer\" \\\n            -DCMAKE_EXE_LINKER_FLAGS=\"-fsanitize=address\"\n   make -j$(nproc)\n   ```\n\n2. Run the PoC malicious HTTP/2 server (Python, see attached):\n   ```bash\n   python3 poc_server.py\n   ```\n\n3. Connect with curl setting a PUSH callback:\n   ```bash\n   curl --http2-prior-knowledge -k https://localhost:8443/push-test\n   ```\n\n4. ASAN will report a heap-buffer-overflow on the `curl_maprintf` call.\n\n### Method 3: Manual Trigger\n\nWrite a minimal C program using `curl_multi` with `CURLMOPT_PUSHFUNCTION`:\n```c\nstatic int push_cb(CURL *parent, CURL *child,\n                   size_t num_headers,\n                   struct curl_pushheaders *headers,\n                   void *userp) {\n    for (size_t i = 0; i < num_headers; i++) {\n        char *h = curl_pushheader_bynum(headers, i);\n        // h may contain heap data beyond the intended header value\n        printf(\"[%zu] %s\\n\", i, h);\n    }\n    return CURL_PUSH_DENY;\n}\n```\n\n## Supporting Material\n\nAttached:\n1. `poc_server.py` \u2014 Malicious HTTP/2 server that sends crafted PUSH_PROMISE\n2. `test_poc.py` \u2014 Automated test harness with ASAN build\n3. Code diff showing the bug and its fix\n\n## Timeline\n\n- **Discovery:** 2026-05-08\n- **Reported:** [Date of HackerOne submission]\n- **curl advisory:** Pending\n\n## Reporter\n\n- **Name:** [Your Name]\n- **HackerOne:** [Your HackerOne handle]\n\n---\n\n## Appendix A: Fix Commit Preview\n\n```diff\n--- a/lib/http2.c\n+++ b/lib/http2.c\n@@ -1486,7 +1486,7 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,\n       stream->push_headers = headp;\n     }\n-    h = curl_maprintf(\"%s:%s\", name, value);\n+    h = curl_maprintf(\"%.*s:%.*s\", (int)namelen, name, (int)valuelen, value);\n     if(!h) {\n       free_push_headers(stream);\n       return NGHTTP2_ERR_CALLBACK_FAILURE;\n```\n\n## Appendix B: CWE Reference\n\nCWE-125: Out-of-bounds Read  \nThe product reads data past the end, or before the beginning, of the intended buffer.\n\n## Appendix C: Related CVEs (same pattern in curl)\n\n| CVE | Description | Severity | Bounty |\n|-----|-------------|----------|--------|\n| CVE-2025-9086 | Out of bounds read for cookie path | Low | $505 |\n| CVE-2024-7264 | ASN.1 date parser overread | Low | $540 |\n| CVE-2024-6874 | macidn punycode buffer overread | Low | $540 |\n", "creation_timestamp": "2026-05-11T12:23:09.000000Z"}]}