Published: 27/03/2024 Updated: 03/05/2024

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols The below command would perform a request to curlse with a plaintext protocol which has been explicitly disabled curl --proto -all,-http ht ...

oss-sec mailing list archives   By Date By Thread </form>    [SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak   ...

https://curl.se/docs/CVE-2024-2398.json https://curl.se/docs/CVE-2024-2398.html https://hackerone.com/reports/2402845 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/http://www.openwall.com/lists/oss-security/2024/03/27/3 https://security.netapp.com/advisory/ntap-20240503-0009/https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2024-2398

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect