CVE-2024-2398

NameCVE-2024-2398
DescriptionWhen an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)jessie, jessie (lts)7.38.0-4+deb8u28fixed
stretch (security)7.52.1-5+deb9u16vulnerable
stretch (lts), stretch7.52.1-5+deb9u22vulnerable
buster, buster (lts)7.64.0-4+deb10u10vulnerable
buster (security)7.64.0-4+deb10u9vulnerable
bullseye7.74.0-1.3+deb11u13fixed
bullseye (security)7.74.0-1.3+deb11u14fixed
bookworm7.88.1-10+deb12u8fixed
bookworm (security)7.88.1-10+deb12u5vulnerable
sid, trixie8.11.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcejessie(not affected)
curlsourcebullseye7.74.0-1.3+deb11u12
curlsourcebookworm7.88.1-10+deb12u6
curlsource(unstable)8.7.1-1

Notes

[buster] - curl <postponed> (Minor issue; can be fixed in next update)
https://curl.se/docs/CVE-2024-2398.html
Introduced by: https://github.com/curl/curl/commit/ea7134ac874a66107e54ff93657ac565cf2ec4aa (curl-7_44_0)
Fixed by: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764 (curl-8_7_0)
[stretch] - curl <postponed> (Minor issue; can be fixed in next update)
[jessie] - curl <not-affected> (Vulnerable code not present)

Search for package or bug name: Reporting problems