CVE-2017-13090

high

Published 2017-10-27 · Modified 2026-05-13

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

9.3

VIR risk

8.8

Description

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-13090

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-13090.html

vendor Authored 2026-05-27

Vendor advisory: cret@cert.org — https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

vendor Authored 2026-05-27

Vendor advisory: cret@cert.org — http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-201710-34

OS impact

OS	Version	Status	Fixed in
arch		fixed	`1.19.2-1`
sles		affected
debian	8.0	affected
debian	9.0	affected
debian	bookworm	fixed	`1.19.2-1`
debian	bullseye	fixed	`1.19.2-1`
debian	forky	fixed	`1.19.2-1`
debian	sid	fixed	`1.19.2-1`
debian	trixie	fixed	`1.19.2-1`

Application impact

Vendor	Product	Versions	Fixed
gnu	wget	`{"endIncluding":"1.19.1"}`

References

CWEs

CWE-122 CWE-119

Verify integrity in audit chain (admin only). AS-IS.