A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and finally terminates the handle with curl_easy_cleanup(). During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
{
"priority_reason": "Upstream defined this as low severity",
"binaries": [
{
"binary_version": "8.5.0-2ubuntu10.11",
"binary_name": "curl"
},
{
"binary_version": "8.5.0-2ubuntu10.11",
"binary_name": "libcurl3t64-gnutls"
},
{
"binary_version": "8.5.0-2ubuntu10.11",
"binary_name": "libcurl4t64"
}
],
"availability": "No subscription required"
}
{
"priority_reason": "Upstream defined this as low severity",
"binaries": [
{
"binary_version": "8.14.1-2ubuntu1.5",
"binary_name": "curl"
},
{
"binary_version": "8.14.1-2ubuntu1.5",
"binary_name": "libcurl3t64-gnutls"
},
{
"binary_version": "8.14.1-2ubuntu1.5",
"binary_name": "libcurl4t64"
}
],
"availability": "No subscription required"
}
{
"priority_reason": "Upstream defined this as low severity",
"binaries": [
{
"binary_version": "8.18.0-1ubuntu2.3",
"binary_name": "curl"
},
{
"binary_version": "8.18.0-1ubuntu2.3",
"binary_name": "libcurl3t64-gnutls"
},
{
"binary_version": "8.18.0-1ubuntu2.3",
"binary_name": "libcurl4t64"
}
],
"availability": "No subscription required"
}