Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Related bugs and status

CVE-2024-2398 (Candidate) is related to these bugs:

Bug #2071582: [Debian] Medium CVE: CVE-2024-2398 curl

Summary				In	Importance	Status
	2071582	[Debian] Medium CVE: CVE-2024-2398 curl		StarlingX	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

FEDORA: FEDORA-2024-6dab59bd47
FEDORA: FEDORA-2024-a09456b7a9
MISC: https://hackerone.com/...
MISC: https://curl.se/docs/C...
MISC: https://curl.se/docs/C...
CONFIRM: https://security.netap...
MLIST: [oss-security] 2024032...