CVE-2024-2398

NameCVE-2024-2398
DescriptionWhen an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)buster7.64.0-4+deb10u2vulnerable
buster (security)7.64.0-4+deb10u9vulnerable
bullseye (security), bullseye7.74.0-1.3+deb11u11vulnerable
bookworm, bookworm (security)7.88.1-10+deb12u5vulnerable
trixie8.5.0-2vulnerable
sid8.7.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsource(unstable)8.7.1-1

Notes

[bookworm] - curl <no-dsa> (Minor issue)
[bullseye] - curl <no-dsa> (Minor issue)
[buster] - curl <postponed> (Minor issue; can be fixed in next update)
https://curl.se/docs/CVE-2024-2398.html
Introduced by: https://github.com/curl/curl/commit/ea7134ac874a66107e54ff93657ac565cf2ec4aa (curl-7_44_0)
Fixed by: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764 (curl-8_7_0)

Search for package or bug name: Reporting problems