Libcurl Aborts Server Push Due to Memory Leak
CVE-2024-2398

8.6HIGH

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 27 March 2024

What is CVE-2024-2398?

The vulnerability arises when applications using libcurl attempt to leverage HTTP/2 server push functionality and exceed the maximum header limit of 1000. In these instances, libcurl aborts the server push operation but fails to deallocate previously allocated headers, leading to unintentional memory leaks. This silent failure complicates detection, posing a risk for applications unaware of the potential memory consumption. Developers utilizing libcurl should assess their use of HTTP/2 server push and implement necessary mitigations to handle this vulnerability.

Affected Version(s)

curl 8.6.0

curl 8.5.0

curl 8.4.0

References

https://curl.se/docs/CVE-2024-2398.json

https://curl.se/docs/CVE-2024-2398.html

https://hackerone.com/reports/2402845

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 27, 2024
Vulnerability Reserved
Mar 12, 2024

Credit

w0x42 on hackerone

Stefan Eissing