CVE-2024-2398

HIGH

curl 7.44.0-8.6.0 - Memory Leak via HTTP/2 Server Push Header Limit Abort

Title source: llm
STIX 2.1

Description

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

References (13)

Core 13
Core References
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/18
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/20
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/27/3
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/2402845
Release Notes, Vendor Advisory
https://support.apple.com/kb/HT214118
Release Notes, Vendor Advisory
https://support.apple.com/kb/HT214119
Release Notes, Vendor Advisory
https://support.apple.com/kb/HT214120

Scores

CVSS v3 8.6
EPSS 0.3608
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-772
Status published
Products (15)
apple/macos < 12.7.6
fedoraproject/fedora 39
fedoraproject/fedora 40
haxx/curl 7.44.0 - 8.7.0
netapp/active_iq_unified_manager
netapp/bootstrap_os
netapp/brocade_fabric_operating_system
netapp/h300s_firmware
netapp/h410s_firmware
netapp/h500s_firmware
... and 5 more
Published Mar 27, 2024
Tracked Since Feb 18, 2026