CVE-2018-16840
published 2018-10-31CVE-2018-16840: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an…
PriorityP343critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.33%
87.1th percentile
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | curl | < curl 7.62.0-1 (bookworm) | curl 7.62.0-1 (bookworm) |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.19 | 7.35.0-1ubuntu2.19 |
| haxx | curl | >= 0 < 7.47.0-1ubuntu2.11 | 7.47.0-1ubuntu2.11 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.5 | 7.58.0-2ubuntu3.5 |
| haxx | curl | >= 7.59.0 < 7.62.0 | 7.62.0 |
| paloalto | pan-os | — | — |
| the_curl_project | curl | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-09-04·CVSS 6.0
CVE-2010-1622 [MEDIUM] PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2010-1622, CVE-2015-7552, CVE-2018-16840, CVE-2019-7639, CVE-2020-17049, CVE-2020-7774, CVE-2021-0131, CVE-2021-0132, CVE-2021-0133, CVE-2021-0134, CVE-2021-4044, CVE-2021-4160, CVE-2021-41773, CVE-2022-1343, CVE-2022-21449, CVE-2022-2274, CVE-2022-22963, CVE-2022-22965, CVE-2022-24697, CVE-2022-32207, CVE-2022-3358, CVE-2022-3996, CVE-2022-40664, CVE-2022-44792, CVE-2022-44793, CVE-2023-1255, CVE-2023-22809, CVE-2023-23919, CVE-2023-3341, CVE-2023-4236, CVE-2023-4863, CVE-2023-51767
Affected products: PAN-OS
Ubuntu
curl vulnerabilities
vendor_ubuntu·2018-10-31·CVSS 4.3
CVE-2018-16839 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Harry Sintonen discovered that curl incorrectly handled SASL
authentication. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-16839)
Brian Carpenter discovered that curl incorrectly handled memory when
closing certain handles. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2018-16840)
Brian Carpenter discovered that the curl command-line tool incorrectly
handled error messages. A remote attacker could possibly use this issue to
obtain sensitive information. (CVE-2018-16842)
Instructions: In general, a standard system update
Red Hat
curl: Use-after-free when closing "easy" handle in Curl_close()
vendor_redhat·2018-10-31·CVSS 9.8
CVE-2018-16840 [CRITICAL] CWE-416 curl: Use-after-free when closing "easy" handle in Curl_close()
curl: Use-after-free when closing "easy" handle in Curl_close()
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
Package: rh-dotnetcore10-curl (.NET Core 1.0 on Red Hat Enterprise Linux) - Not affected
Package: rh-dotnetcore11-curl (.NET Core 1.1 on Red Hat Enterprise Linux) - Not affected
Package: rh-dotnet21-curl (.NET Core 2.1 on Red Hat Enterprise Linux) - Not affected
Package: curl (Red Hat Enterprise Linux 5) - Not affected
Package: curl (Red Hat Enterprise Lin
Debian
CVE-2018-16840: curl - A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1...
vendor_debian·2018·CVSS 9.8
CVE-2018-16840 [CRITICAL] CVE-2018-16840: curl - A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1...
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
Scope: local
bookworm: resolved (fixed in 7.62.0-1)
bullseye: resolved (fixed in 7.62.0-1)
forky: resolved (fixed in 7.62.0-1)
sid: resolved (fixed in 7.62.0-1)
trixie: resolved (fixed in 7.62.0-1)
GHSA
GHSA-6vwf-m72q-cw8h: A heap use-after-free flaw was found in curl versions from 7
ghsa_unreviewed·2022-05-13
CVE-2018-16840 [CRITICAL] CWE-416 GHSA-6vwf-m72q-cw8h: A heap use-after-free flaw was found in curl versions from 7
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
OSV
curl vulnerabilities
osv·2018-10-31·CVSS 9.8
CVE-2018-16839 [CRITICAL] curl vulnerabilities
curl vulnerabilities
Harry Sintonen discovered that curl incorrectly handled SASL
authentication. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-16839)
Brian Carpenter discovered that curl incorrectly handled memory when
closing certain handles. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2018-16840)
Brian Carpenter discovered that the curl command-line tool incorrectly
handled error messages. A remote attacker could possibly use this issue to
obtain sensitive information. (CVE-2018-16842)
OSV
CVE-2018-16840: A heap use-after-free flaw was found in curl versions from 7
osv·2018-10-31·CVSS 9.8
CVE-2018-16840 [CRITICAL] CVE-2018-16840: A heap use-after-free flaw was found in curl versions from 7
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-16840 mingw-curl: curl: Use-after-free when closing "easy" handle in Curl_close() [epel-7]
bugzilla·2018-10-31·CVSS 9.8
CVE-2018-16840 [CRITICAL] CVE-2018-16840 mingw-curl: curl: Use-after-free when closing "easy" handle in Curl_close() [epel-7]
CVE-2018-16840 mingw-curl: curl: Use-after-free when closing "easy" handle in Curl_close() [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following tem
Bugzilla
CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close() [fedora-all]
bugzilla·2018-10-31·CVSS 9.8
CVE-2018-16840 [CRITICAL] CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close() [fedora-all]
CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close()
bugzilla·2018-10-24·CVSS 9.8
CVE-2018-16840 [CRITICAL] CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close()
CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close()
Curl versions 7.59.0 to 7.61.1 are vulnerable to heap use-after-free flaw in code related to closing an easy handle.
When closing and cleaning up an "easy" handle in the `Curl_close()` function,
the library code first frees a struct (without nulling the pointer) and might
then subsequently erroneously write to a struct field within that already
freed struct.
Discussion:
Acknowledgments:
Name: the Curl project
Upstream: Brian Carpenter (Geeknik Labs)
---
External Reference:
https://curl.haxx.se/docs/CVE-2018-16840.html
Upstream Patch:
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
---
Created curl tracking bugs for this issue:
Affects: fedora-all [bug 1644555]
Created
http://www.securitytracker.com/id/1042013https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16840https://curl.haxx.se/docs/CVE-2018-16840.htmlhttps://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3fhttps://security.gentoo.org/glsa/201903-03https://usn.ubuntu.com/3805-1/http://www.securitytracker.com/id/1042013https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16840https://curl.haxx.se/docs/CVE-2018-16840.htmlhttps://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3fhttps://security.gentoo.org/glsa/201903-03https://usn.ubuntu.com/3805-1/
2018-10-31
Published