CVE-2024-2398
published 2024-03-27CVE-2024-2398: When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit…
PriorityP263high8.6CVSS 3.1
AVNACLPRNUINSUCHILAL
EPSS
36.08%
98.3th percentile
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
Affected
115 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos | < 12.7.6 | 12.7.6 |
| apple | macos | >= 13.0 < 13.6.8 | 13.6.8 |
| apple | macos | >= 14.0 < 14.6 | 14.6 |
| apple | macos_monterey | — | — |
| apple | macos_sonoma | — | — |
| apple | macos_ventura | — | — |
| curl | curl | 7.44.0 – 7.44.0 | — |
| curl | curl | 7.45.0 – 7.45.0 | — |
| curl | curl | 7.46.0 – 7.46.0 | — |
| curl | curl | 7.47.0 – 7.47.0 | — |
| curl | curl | 7.47.1 – 7.47.1 | — |
| curl | curl | 7.48.0 – 7.48.0 | — |
| curl | curl | 7.49.0 – 7.49.0 | — |
| curl | curl | 7.49.1 – 7.49.1 | — |
| curl | curl | 7.50.0 – 7.50.0 | — |
| curl | curl | 7.50.1 – 7.50.1 | — |
| curl | curl | 7.50.2 – 7.50.2 | — |
| curl | curl | 7.50.3 – 7.50.3 | — |
| curl | curl | 7.51.0 – 7.51.0 | — |
| curl | curl | 7.52.0 – 7.52.0 | — |
| curl | curl | 7.52.1 – 7.52.1 | — |
| curl | curl | 7.53.0 – 7.53.0 | — |
| curl | curl | 7.53.1 – 7.53.1 | — |
| curl | curl | 7.54.0 – 7.54.0 | — |
| curl | curl | 7.54.1 – 7.54.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: HTTP/2 server push is enabled in the application using libcurl, and the number of received push headers exceeds the maximum allowed limit of 1000, causing a silent memory leak (no error surfaced to the application). ↗
- →Monitor for sustained or growing memory consumption in processes using libcurl with HTTP/2 server push enabled (CURLMOPT_PUSHFUNCTION / CURL_PUSH_OK), particularly when communicating with untrusted or external HTTP/2 servers — this may indicate exploitation of the header-count memory leak. ↗
- →Affected protocol is HTTP/2 server push; detection should focus on HTTP/2 traffic (ALPN h2) where PUSH_PROMISE frames are sent with an abnormally large number of header fields (approaching or exceeding 1000 headers per push). ↗
- ·The vulnerability is only exploitable when the application explicitly opts in to HTTP/2 server push support in libcurl; applications that do not enable server push are not affected. ↗
- ·The error condition is silent — the memory leak is not surfaced to the calling application, making it difficult to detect via application-level logging alone; OS-level memory monitoring is required. ↗
- ·Hitachi Energy MSM versions 2.2.8 and earlier are confirmed affected embedded deployments; these ICS devices may not receive prompt patching and should be network-isolated as a priority mitigation. ↗
- ·Fixed Debian package versions are available: bookworm fixed in 7.88.1-10+deb12u6, bullseye fixed in 7.74.0-1.3+deb11u12, forky/sid/trixie fixed in 8.7.1-1. Deployments running older versions remain vulnerable. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
osv8.6HIGH
vendor_debian8.6HIGH
vendor_msrc8.6HIGH
vendor_oracle8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
curl vulnerabilities
osv·2024-04-29·CVSS 3.5
CVE-2024-2004 [LOW] curl vulnerabilities
curl vulnerabilities
USN-6718-1 fixed vulnerabilities in curl. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
Dan Fandrich discovered that curl would incorrectly use the default set of
protocols when a parameter option disabled all protocols without adding
any, contrary to expectations. This issue only affected Ubuntu 23.10.
(CVE-2024-2004)
It was discovered that curl incorrectly handled memory when limiting the
amount of headers when HTTP/2 server push is allowed. A remote attacker
could possibly use this issue to cause curl to consume resources, leading
to a denial of service. (CVE-2024-2398)
GHSA
GHSA-mq8w-c2j9-rqxc: When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed
ghsa_unreviewed·2024-03-27
CVE-2024-2398 [HIGH] CWE-772 GHSA-mq8w-c2j9-rqxc: When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
OSV
CVE-2024-2398: When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed
osv·2024-03-27·CVSS 8.6
CVE-2024-2398 [HIGH] CVE-2024-2398: When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
OSV
curl vulnerabilities
osv·2024-03-27·CVSS 3.5
CVE-2024-2004 [LOW] curl vulnerabilities
curl vulnerabilities
Dan Fandrich discovered that curl would incorrectly use the default set of
protocols when a parameter option disabled all protocols without adding
any, contrary to expectations. This issue only affected Ubuntu 23.10.
(CVE-2024-2004)
It was discovered that curl incorrectly handled memory when limiting the
amount of headers when HTTP/2 server push is allowed. A remote attacker
could possibly use this issue to cause curl to consume resources, leading
to a denial of service. (CVE-2024-2398)
OSV
curl vulnerability
osv·2024-03-27·CVSS 8.6
CVE-2024-2398 [HIGH] curl vulnerability
curl vulnerability
USN-6718-1 fixed a vulnerability in curl. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that curl incorrectly handled memory when limiting the
amount of headers when HTTP/2 server push is allowed. A remote attacker
could possibly use this issue to cause curl to consume resources, leading
to a denial of service. (CVE-2024-2398)
CISA ICS
Siemens SINEC NMS
cisa_ics·2024-11-14
Siemens SINEC NMS
ICS Advisory
##
Siemens SINEC NMS
Release DateNovember 14, 2024
Alert CodeICSA-24-319-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC NMS
- Vulnerabilities: Improper Input Validation, Improper Check for Unusual or Exceptional Conditions, Out-of-bounds Write, Uncontro
CISA ICS
Hitachi Energy MSM
cisa_ics·2024-11-14·CVSS 8.6
[HIGH] Hitachi Energy MSM
ICS Advisory
##
Hitachi Energy MSM
Release DateNovember 14, 2024
Alert CodeICSA-24-319-16
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.6
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: MSM
- Vulnerabilities: Missing Release of Resource after Effective Lifetime, Loop with Unreachable Exit Condition ('Infinite Loop')
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to impact the confidentiality, integrity or availability of the MSM.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Hitachi Energy MSM, a condition monitoring system, are affected:
- MSM
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (curl) — CVE-2024-2398
vendor_oracle·2024-10-15·CVSS 8.6
CVE-2024-2398 [HIGH] Oracle Oracle Communications Risk Matrix: Configuration (curl) — CVE-2024-2398
Oracle Oracle Communications Risk Matrix: Configuration (curl) vulnerability
CVE: CVE-2024-2398
CVSS: 8.6
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
CISA ICS
Siemens SINEMA
cisa_ics·2024-09-12·CVSS 9.8
[CRITICAL] Siemens SINEMA
ICS Advisory
##
Siemens SINEMA
Release DateSeptember 12, 2024
Alert CodeICSA-24-256-10
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 5.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEMA
- Vulnerabilities: Use After Free, Improper Input Validation, Improper Certificate Validation, Missing Release of Resource after Effective Lifetime, Improper Validation of Certificate with Host Mismatch, Insufficient Sessi
Apple
CVE-2024-2398: macOS Ventura 13.6.8
vendor_apple·2024-07-29·CVSS 8.6
CVE-2024-2398 [HIGH] CVE-2024-2398: macOS Ventura 13.6.8
Apple Security Update: About the security content of macOS Ventura 13.6.8
Product: macOS Ventura
Version: 13.6.8
CVE: CVE-2024-2398
Component: CVE-2024-2398
Apple
CVE-2024-2398: macOS Sonoma 14.6
vendor_apple·2024-07-29·CVSS 8.6
CVE-2024-2398 [HIGH] CVE-2024-2398: macOS Sonoma 14.6
Apple Security Update: About the security content of macOS Sonoma 14.6
Product: macOS Sonoma
Version: 14.6
CVE: CVE-2024-2398
Component: CVE-2024-2398
Apple
CVE-2024-2398: macOS Monterey 12.7.6
vendor_apple·2024-07-29·CVSS 8.6
CVE-2024-2398 [HIGH] CVE-2024-2398: macOS Monterey 12.7.6
Apple Security Update: About the security content of macOS Monterey 12.7.6
Product: macOS Monterey
Version: 12.7.6
CVE: CVE-2024-2398
Component: CVE-2024-2398
Ubuntu
curl vulnerabilities
vendor_ubuntu·2024-04-29·CVSS 3.5
CVE-2024-2398 [LOW] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-6718-1 fixed vulnerabilities in curl. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
Dan Fandrich discovered that curl would incorrectly use the default set of
protocols when a parameter option disabled all protocols without adding
any, contrary to expectations. This issue only affected Ubuntu 23.10.
(CVE-2024-2004)
It was discovered that curl incorrectly handled memory when limiting the
amount of headers when HTTP/2 server push is allowed. A remote attacker
could possibly use this issue to cause curl to consume resources, leading
to a denial of service. (CVE-2024-2398)
Instructions: In general, a standard system update will make all the necessary chan
Ubuntu
curl vulnerability
vendor_ubuntu·2024-03-27·CVSS 8.6
CVE-2024-2398 [HIGH] curl vulnerability
Title: curl vulnerability
Summary: curl could be made to denial of service.
USN-6718-1 fixed a vulnerability in curl. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that curl incorrectly handled memory when limiting the
amount of headers when HTTP/2 server push is allowed. A remote attacker
could possibly use this issue to cause curl to consume resources, leading
to a denial of service. (CVE-2024-2398)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2024-03-27·CVSS 3.5
CVE-2024-2004 [LOW] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Dan Fandrich discovered that curl would incorrectly use the default set of
protocols when a parameter option disabled all protocols without adding
any, contrary to expectations. This issue only affected Ubuntu 23.10.
(CVE-2024-2004)
It was discovered that curl incorrectly handled memory when limiting the
amount of headers when HTTP/2 server push is allowed. A remote attacker
could possibly use this issue to cause curl to consume resources, leading
to a denial of service. (CVE-2024-2398)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
curl: HTTP/2 push headers memory-leak
vendor_redhat·2024-03-27·CVSS 8.6
CVE-2024-2398 [HIGH] CWE-772 curl: HTTP/2 push headers memory-leak
curl: HTTP/2 push headers memory-leak
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
A flaw was found in curl. When an application configures libcurl to use HTTP/2 server push and the amount of received headers for the push surpasses the maximum allowed limit, libcurl aborts the server push. When aborting, libcurl does not free all the previously allocated headers, resulting in a memory leak.
Package: curl (Red Hat Enterprise
Microsoft
HTTP/2 push headers memory-leak
vendor_msrc·2024-03-12·CVSS 8.6
CVE-2024-2398 [HIGH] CWE-772 HTTP/2 push headers memory-leak
HTTP/2 push headers memory-leak
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
curl: curl
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure
Debian
CVE-2024-2398: curl - When an application tells libcurl it wants to allow HTTP/2 server push, and the ...
vendor_debian·2024·CVSS 8.6
CVE-2024-2398 [HIGH] CVE-2024-2398: curl - When an application tells libcurl it wants to allow HTTP/2 server push, and the ...
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
Scope: local
bookworm: resolved (fixed in 7.88.1-10+deb12u6)
bullseye: resolved (fixed in 7.74.0-1.3+deb11u12)
forky: resolved (fixed in 8.7.1-1)
sid: resolved (fixed in 8.7.1-1)
trixie: resolved (fixed in 8.7.1-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2024-2398: HTTP/2 push headers memory-leak
hackerone·2024-04-22·CVSS 8.6
CVE-2024-2398 [HIGH] CVE-2024-2398: HTTP/2 push headers memory-leak
CVE-2024-2398: HTTP/2 push headers memory-leak
A memory leak was found in libcurl in handling HTTP/2 push headers, which could lead to a denial of service due to memory exhaustion.
Original report: https://hackerone.com/reports/2402845
## Impact
denial of service
CVE-2024-2398
HTTP/2 push headers memory-leak
VULNERABILITY
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
Further, this error condition fails silently and is therefore not easily detected by an application.
INFO
If a server sends many PUSH_PROMISE frames with a
HackerOne
CVE-2024-2398: HTTP/2 push headers memory-leak
hackerone·2024-03-27·CVSS 8.6
CVE-2024-2398 [HIGH] CVE-2024-2398: HTTP/2 push headers memory-leak
CVE-2024-2398: HTTP/2 push headers memory-leak
## Summary:
For each incoming `PUSH_PROMISE` header a new `name:value` string is allocated
and the pointer to that string is stored in the `stream->push_headers` array.
```
h = aprintf("%s:%s", name, value);
if(h)
stream->push_headers[stream->push_headers_used++] = h;
```
Libcurl will reject `PUSH_PROMISE` frames with too many headers.
When the number of headers exceeds some threshold, `on_header` returns an error.
However, libcurl forgets to free the `stream->push_headers` array elements before `stream->push_headers` is freed.
A malicious server may continuously send `PUSH_PROMISE` frames with over 1000 headers, which would eventually consume all available memory.
The same issue exists when `Curl_saferealloc` fails.
```
if(stream->push_h
Bugzilla
CVE-2024-2398 curl: HTTP/2 push headers memory-leak
bugzilla·2024-03-20·CVSS 8.6
CVE-2024-2398 [HIGH] CVE-2024-2398 curl: HTTP/2 push headers memory-leak
CVE-2024-2398 curl: HTTP/2 push headers memory-leak
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
Further, this error condition fails silently and is therefore not easily detected by an application.
If a server sends many `PUSH_PROMISE` frames with an excessive amount of headers, this can lead to multiple megabytes of memory leaked *per response*.
HTTP/2 server push is a relatively rarely used feature.
Reference:
https://curl.se/docs/CVE-2024-2398.html
Upstream patch:
https://github.com/curl/curl/commit/deca8039991886a55
http://seclists.org/fulldisclosure/2024/Jul/18http://seclists.org/fulldisclosure/2024/Jul/19http://seclists.org/fulldisclosure/2024/Jul/20http://www.openwall.com/lists/oss-security/2024/03/27/3https://curl.se/docs/CVE-2024-2398.htmlhttps://curl.se/docs/CVE-2024-2398.jsonhttps://hackerone.com/reports/2402845https://lists.fedoraproject.org/archives/list/[email protected]/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/https://lists.fedoraproject.org/archives/list/[email protected]/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/https://security.netapp.com/advisory/ntap-20240503-0009/https://support.apple.com/kb/HT214118https://support.apple.com/kb/HT214119https://support.apple.com/kb/HT214120http://seclists.org/fulldisclosure/2024/Jul/18http://seclists.org/fulldisclosure/2024/Jul/19http://seclists.org/fulldisclosure/2024/Jul/20http://www.openwall.com/lists/oss-security/2024/03/27/3https://curl.se/docs/CVE-2024-2398.htmlhttps://curl.se/docs/CVE-2024-2398.jsonhttps://hackerone.com/reports/2402845https://lists.fedoraproject.org/archives/list/[email protected]/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/https://lists.fedoraproject.org/archives/list/[email protected]/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/https://security.netapp.com/advisory/ntap-20240503-0009/https://support.apple.com/kb/HT214118https://support.apple.com/kb/HT214119https://support.apple.com/kb/HT214120
2024-03-27
Published