A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. (CVE-2019-5436)
Impact
An attacker could cause a denial of service (DoS) or arbitrary code execution, if you use cURL to transfer data to or from a TFTP server, and set the blksize (block size) option to a value below 504 (the default value is 512). Users setting a smaller block size than default should be rare as the primary use case for changing the block size is to make it larger.