CVE-2021-22901
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-22901
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22901.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-22901
- Aliases
- Downstream
- Related
- Published
- 2021-06-11T16:15:11Z
- Modified
- 2025-10-13T10:39:12.262985Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
- References
-
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf
- https://curl.se/docs/CVE-2021-22901.html
- https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479
- https://hackerone.com/reports/1180380
- https://security.netapp.com/advisory/ntap-20210723-0001/
- https://security.netapp.com/advisory/ntap-20210727-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
Affected packages
Git / github.com/curl/curl
Affected ranges
- Type
- GIT
- Repo
- https://github.com/curl/curl
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
before_ftp_statemachine
before_urldata_rename
curl-6_5
curl-6_5_1
curl-6_5_2
curl-7_10
curl-7_10_1
curl-7_10_2
curl-7_10_3
curl-7_10_4
curl-7_10_5
curl-7_10_6
curl-7_10_7
curl-7_10_8
curl-7_11_0
curl-7_11_1
curl-7_11_2
curl-7_12_0
curl-7_12_1
curl-7_12_2
curl-7_12_3
curl-7_13_0
curl-7_13_1
curl-7_13_2
curl-7_14_0
curl-7_14_1
curl-7_15_0
curl-7_15_1
curl-7_15_2
curl-7_15_3
curl-7_15_4
curl-7_15_5
curl-7_15_6-prepipeline
curl-7_16_0
curl-7_16_1
curl-7_16_2
curl-7_16_3
curl-7_16_4
curl-7_17_0
curl-7_17_0-preldapfix
curl-7_17_1
curl-7_18_0
curl-7_18_1
curl-7_18_2
curl-7_19_0
curl-7_19_1
curl-7_19_2
curl-7_19_3
curl-7_19_4
curl-7_19_5
curl-7_19_6
curl-7_19_7
curl-7_1_1
curl-7_2
curl-7_20_0
curl-7_20_1
curl-7_21_0
curl-7_21_1
curl-7_21_2
curl-7_21_3
curl-7_21_4
curl-7_21_5
curl-7_21_6
curl-7_21_7
curl-7_22_0
curl-7_23_0
curl-7_23_1
curl-7_24_0
curl-7_25_0
curl-7_26_0
curl-7_27_0
curl-7_28_0
curl-7_28_1
curl-7_29_0
curl-7_3
curl-7_30_0
curl-7_31_0
curl-7_32_0
curl-7_33_0
curl-7_34_0
curl-7_35_0
curl-7_36_0
curl-7_37_0
curl-7_37_1
curl-7_38_0
curl-7_39_0
curl-7_40_0
curl-7_41_0
curl-7_42_0
curl-7_43_0
curl-7_44_0
curl-7_45_0
curl-7_46_0
curl-7_47_0
curl-7_47_1
curl-7_48_0
curl-7_49_0
curl-7_49_1
curl-7_4_1
curl-7_5
curl-7_50_0
curl-7_50_1
curl-7_50_2
curl-7_50_3
curl-7_51_0
curl-7_52_0
curl-7_52_1
curl-7_53_0
curl-7_53_1
curl-7_54_0
curl-7_54_1
curl-7_55_0
curl-7_55_1
curl-7_56_0
curl-7_56_1
curl-7_57_0
curl-7_58_0
curl-7_59_0
curl-7_5_2
curl-7_6
curl-7_6-pre4
curl-7_60_0
curl-7_61_0
curl-7_61_1
curl-7_62_0
curl-7_63_0
curl-7_64_0
curl-7_64_1
curl-7_65_0
curl-7_65_1
curl-7_65_2
curl-7_65_3
curl-7_66_0
curl-7_67_0
curl-7_68_0
curl-7_69_0
curl-7_69_1
curl-7_6_1
curl-7_6_1-pre1
curl-7_6_1-pre2
curl-7_6_1-pre3
curl-7_7
curl-7_7-beta1
curl-7_7-beta2
curl-7_7-beta3
curl-7_7-beta5
curl-7_70_0
curl-7_71_0
curl-7_71_1
curl-7_72_0
curl-7_73_0
curl-7_74_0
curl-7_75_0
curl-7_76_0
curl-7_76_1
curl-7_7_1
curl-7_7_2
curl-7_7_3
curl-7_7_alpha2
curl-7_8
curl-7_8-pre2
curl-7_8_1
curl-7_8_1-pre3
curl-7_9
curl-7_9_1
curl-7_9_2
curl-7_9_3
curl-7_9_3-pre1
curl-7_9_3-pre2
curl-7_9_3-pre3
curl-7_9_4
curl-7_9_5
curl-7_9_5-pre2
curl-7_9_5-pre4
curl-7_9_6
curl-7_9_7
curl-7_9_7-pre2
curl-7_9_8
curl_7_6-pre3
Database specific
{
"vanir_signatures": [
{
"deprecated": false,
"id": "CVE-2021-22901-112b40cc",
"signature_version": "v1",
"digest": {
"line_hashes": [
"186219220524685466747730293319960369262",
"221885776772179948375588984335771599016",
"242092821167957799341998848306994961622"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/gskit.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-16afe490",
"signature_version": "v1",
"digest": {
"line_hashes": [
"105711553773464346414647333756716138062",
"2904185772424648690614208022438633360",
"28943486962530006695741710418216306715"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/wolfssl.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-1a7f75ad",
"signature_version": "v1",
"digest": {
"line_hashes": [
"187473753366580240819143889369803023555",
"19947501796357691300854331411987220613",
"95654700292215788056874075044093236670",
"54945258926373500052511413367380796929",
"50910872226802818269537850369166031572",
"58240838674613881414058697592076492097",
"327008296953905714942243329393832476807",
"167690107269592290756581100018194607341",
"163502143684354781220170101016683290242"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/multi.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-1dc33ea9",
"signature_version": "v1",
"digest": {
"length": 159.0,
"function_hash": "282527232010509207256326083520762769034"
},
"signature_type": "Function",
"target": {
"function": "Curl_detach_connnection",
"file": "lib/multi.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-29a281cb",
"signature_version": "v1",
"digest": {
"line_hashes": [
"186219220524685466747730293319960369262",
"221885776772179948375588984335771599016",
"118420185482035953781785408918051443343"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/mesalink.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-5ed26d1d",
"signature_version": "v1",
"digest": {
"line_hashes": [
"73271168870267222109289255326453829008",
"73827907696276383707622611301589291798",
"211530242407209078484329373388314723108",
"188779164379214942689248499697233465740",
"85386975455582097309536242192917050731",
"245081344340155641301320834143844850881",
"62153286337341876067281988598850343391",
"121669162297169078699046718566740458729",
"215298610020151475422509359025881665450",
"160496096879707273982560064615393928037",
"262253162330575483615990927020006884742",
"207030032140940270196392569482197400507",
"52196972406707744499516007337590729723",
"310848303797566296324889670751101086331",
"222593396967390567450172725704753887575",
"235691541654497677847954641653469180817",
"58633988980821724765059247018395199889",
"25447831337023957638041419169130371823",
"147075429205132582405216565002123595763",
"159239750700783782352173299703698057266",
"3437427716754797935132463652839023737",
"127087658280103561645782008847134409151",
"75199286429243154010508244248962936561",
"244921248497977065595362047332805878839",
"335526394393619798921303958949091926921",
"142148865309299820369778016046747186849",
"36343027810611685258758416187132301997",
"145703898883617860025281749174947940817",
"49821058802725643425531673427781409057",
"49678742140860501719462917258286975569",
"63202482301952805327802201198622534649",
"293181921711569263243064672048373818969",
"133900923489114446296021898851185466508",
"36777361632708934694797056998674843243",
"11177419630060475881010668020085817087",
"303422892470415582204293820830754579527",
"286083972253237306490318597426997081139",
"261079382685828178432555473902036016734",
"279260391187534534676049212163993726371",
"329627646565725648632430807782727645922",
"79194766196837938283253745097174225478",
"5571743488213546801408132267818404860",
"130049941606887403578626904489921224945",
"178097734931733945871273233063040427391",
"216425396822114078519857436547106591880",
"285542075915533030311331310894582100597",
"181108455092571060169513480302647763308",
"201208934546635710539200215230233609237",
"13409051224758349761312328379615738889",
"299473193568500530537773344539589740788",
"152017765307026313653490870096797999253"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/openssl.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-b01c82f2",
"signature_version": "v1",
"digest": {
"line_hashes": [
"117254624900286043914446684036232897839",
"278148543623425240728153472164075251212",
"313428367765666149420051287200382297935"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/gtls.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-b75e8d96",
"signature_version": "v1",
"digest": {
"line_hashes": [
"155031123524163536542363547886908076616",
"241564592740147399037087761500264710056",
"224236323127553732321566263121395653926"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/mbedtls.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-b76d75f7",
"signature_version": "v1",
"digest": {
"line_hashes": [
"17479791198913112085959967000244748158",
"122978703432319367585527440563987283441",
"108255278866082812394702543602527323182",
"63147417521427190620024285144529305281",
"281873735472492112698195639167232268211",
"274123850254446799268534801426234867900",
"83722995015177457113170279222513998005"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/vtls.h"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-bee48009",
"signature_version": "v1",
"digest": {
"line_hashes": [
"93612680191468065498685381231912631392",
"172816224077672263565079124615633457341",
"316884559720800204945935234868905210031",
"293326983079720454113692492174647385498"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/sectransp.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-c3256b70",
"signature_version": "v1",
"digest": {
"line_hashes": [
"220881515393441035084801830498670033932",
"174542894043304738129105816634116784620",
"783098884639603181500321915206659113",
"186219220524685466747730293319960369262",
"221885776772179948375588984335771599016",
"72703555703531540869677605507512220101",
"227890448358690435620343229236177822739"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/vtls.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-c729b6cb",
"signature_version": "v1",
"digest": {
"line_hashes": [
"89438604099976147155922991379116780231",
"152200389674360309942177538872971541530",
"36458605533992043066698451277391902613"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/nss.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-deb6cd76",
"signature_version": "v1",
"digest": {
"length": 14664.0,
"function_hash": "308421803234990224094444390237334411602"
},
"signature_type": "Function",
"target": {
"function": "ossl_connect_step1",
"file": "lib/vtls/openssl.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-e0ea5594",
"signature_version": "v1",
"digest": {
"line_hashes": [
"222480428048420087676105947998287034698",
"1791862209004315891931085883200233347",
"335032092301468568357198521291765970795",
"163498262204948760416787486037998488372",
"86790545262539225571869431646476558833",
"102446219944222485332424481391822647475",
"301150589919494327216392615030845277105"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/schannel.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-e28697f3",
"signature_version": "v1",
"digest": {
"line_hashes": [
"186219220524685466747730293319960369262",
"221885776772179948375588984335771599016",
"331942912995982428602909187462272364537"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "lib/vtls/rustls.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
},
{
"deprecated": false,
"id": "CVE-2021-22901-f263bc98",
"signature_version": "v1",
"digest": {
"length": 299.0,
"function_hash": "276203671696876119948010549383366377839"
},
"signature_type": "Function",
"target": {
"function": "Curl_attach_connnection",
"file": "lib/multi.c"
},
"source": "https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"
}
]
}