Libcurl Aborts Server Push Due to Memory Leak
CVE-2024-2398

8.6HIGH

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 27 March 2024

What is CVE-2024-2398?

The vulnerability arises when applications using libcurl attempt to leverage HTTP/2 server push functionality and exceed the maximum header limit of 1000. In these instances, libcurl aborts the server push operation but fails to deallocate previously allocated headers, leading to unintentional memory leaks. This silent failure complicates detection, posing a risk for applications unaware of the potential memory consumption. Developers utilizing libcurl should assess their use of HTTP/2 server push and implement necessary mitigations to handle this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

curl 8.6.0

curl 8.5.0

curl 8.4.0

References

https://curl.se/docs/CVE-2024-2398.json

https://curl.se/docs/CVE-2024-2398.html

https://hackerone.com/reports/2402845

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 27, 2024
Vulnerability Reserved
Mar 12, 2024

Credit

w0x42 on hackerone

Stefan Eissing

JSON

Curl