CVE-2024-6874
MEDIUMlibcurl - Buffer Overflow
Title source: llmDescription
libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.
References (5)
Scores
CVSS v3
4.3
EPSS
0.0099
EPSS Percentile
76.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Classification
CWE
CWE-125
Status
published
Affected Products (1)
haxx/libcurl
Timeline
Published
Jul 24, 2024
Tracked Since
Feb 18, 2026