When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again.
{ "issue": "https://hackerone.com/reports/1269242", "award": { "amount": "1000", "currency": "USD" }, "package": "curl", "last_affected": "7.78.0", "www": "https://curl.se/docs/CVE-2021-22945.html", "URL": "https://curl.se/docs/CVE-2021-22945.json", "affects": "both", "CWE": { "desc": "Double Free", "id": "CWE-415" }, "severity": "Medium" }
{ "vanir_signatures": [ { "source": "https://github.com/curl/curl.git/commit/43157490a5054bd24256fe12876931e8abc9df49", "deprecated": false, "signature_type": "Line", "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "328453786080658004361491463965998398485", "252156255408452342459258152853300683062", "171447148363748109589151842825259079707", "175104515688157307960582739896490386086" ] }, "target": { "file": "lib/mqtt.c" }, "id": "CURL-CVE-2021-22945-396483fd" }, { "source": "https://github.com/curl/curl.git/commit/43157490a5054bd24256fe12876931e8abc9df49", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "length": 560.0, "function_hash": "258886550320820673026644183473732966147" }, "target": { "file": "lib/mqtt.c", "function": "mqtt_send" }, "id": "CURL-CVE-2021-22945-49a9eb3b" } ] }