CVE-2024-6197
HIGHlibcurl 8.6.0-8.8.9 - Use-After-Free in ASN1 UTF-8 String Parser
Title source: llmDescription
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/24/1
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/24/5
Vendor Advisory
https://curl.se/docs/CVE-2024-6197.html
Vendor Advisory
https://curl.se/docs/CVE-2024-6197.json
Exploit, Issue Tracking, Technical Description
https://hackerone.com/reports/2559516
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241129-0008/
Scores
CVSS v3
7.5
EPSS
0.0130
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
Status
published
Products (1)
haxx/libcurl
8.6.0 - 8.9.0
Published
Jul 24, 2024
Tracked Since
Feb 18, 2026