CURL-CVE-2021-22945

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2021-22945.html
Import Source
https://curl.se/docs/CURL-CVE-2021-22945.json
JSON Data
https://api.test.osv.dev/v1/vulns/CURL-CVE-2021-22945
Aliases
Published
2021-09-15T08:00:00Z
Modified
2025-05-15T17:48:29Z
Summary
UAF and double free in MQTT sending
Details

When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again.

Database specific 
{
    "last_affected": "7.78.0",
    "affects": "both",
    "severity": "Medium",
    "URL": "https://curl.se/docs/CVE-2021-22945.json",
    "www": "https://curl.se/docs/CVE-2021-22945.html",
    "issue": "https://hackerone.com/reports/1269242",
    "award": {
        "currency": "USD",
        "amount": "1000"
    },
    "package": "curl",
    "CWE": {
        "id": "CWE-415",
        "desc": "Double Free"
    }
}
References
Credits
    • z2_ - FINDER
    • z2_ - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.73.0
Fixed
7.79.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
2522903b792ac5a802f780df60dc4647c58e2477
Fixed
43157490a5054bd24256fe12876931e8abc9df49

Affected versions

7.*

7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CURL-CVE-2021-22945-396483fd",
            "digest": {
                "line_hashes": [
                    "328453786080658004361491463965998398485",
                    "252156255408452342459258152853300683062",
                    "171447148363748109589151842825259079707",
                    "175104515688157307960582739896490386086"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "deprecated": false,
            "target": {
                "file": "lib/mqtt.c"
            },
            "signature_version": "v1",
            "source": "https://github.com/curl/curl.git/commit/43157490a5054bd24256fe12876931e8abc9df49"
        },
        {
            "id": "CURL-CVE-2021-22945-49a9eb3b",
            "digest": {
                "length": 560.0,
                "function_hash": "258886550320820673026644183473732966147"
            },
            "signature_type": "Function",
            "deprecated": false,
            "target": {
                "file": "lib/mqtt.c",
                "function": "mqtt_send"
            },
            "signature_version": "v1",
            "source": "https://github.com/curl/curl.git/commit/43157490a5054bd24256fe12876931e8abc9df49"
        }
    ]
}