CVE-2024-2398

2024-03-2700:00:00

ubuntu.com

http/2

libcurl

server push

memory leakage

silent failure

security vulnerability

cve-2024-2398

application security

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

17.6%

JSON

When an application tells libcurl it wants to allow HTTP/2 server push, and
the amount of received headers for the push surpasses the maximum allowed
limit (1000), libcurl aborts the server push. When aborting, libcurl
inadvertently does not free all the previously allocated headers and
instead leaks the memory. Further, this error condition fails silently and
is therefore not easily detected by an application.

Notes

Author	Note
mdeslaur	affects curl 7.44.0 to and including 8.6.0 introduced in https://github.com/curl/curl/commit/ea7134ac874a66107e54ff9

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchcurl< 7.58.0-2ubuntu3.24+esm4UNKNOWN
ubuntu20.04noarchcurl< 7.68.0-1ubuntu2.22UNKNOWN
ubuntu22.04noarchcurl< 7.81.0-1ubuntu1.16UNKNOWN
ubuntu23.10noarchcurl< 8.2.1-1ubuntu3.3UNKNOWN
ubuntu24.04noarchcurl< 8.5.0-2ubuntu10.1UNKNOWN
ubuntu16.04noarchcurl< 7.47.0-1ubuntu2.19+esm12UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	curl	< 7.58.0-2ubuntu3.24+esm4	UNKNOWN
ubuntu	20.04	noarch	curl	< 7.68.0-1ubuntu2.22	UNKNOWN
ubuntu	22.04	noarch	curl	< 7.81.0-1ubuntu1.16	UNKNOWN
ubuntu	23.10	noarch	curl	< 8.2.1-1ubuntu3.3	UNKNOWN
ubuntu	24.04	noarch	curl	< 8.5.0-2ubuntu10.1	UNKNOWN
ubuntu	16.04	noarch	curl	< 7.47.0-1ubuntu2.19+esm12	UNKNOWN