{"id":"CURL-CVE-2024-2398","summary":"HTTP/2 push headers memory-leak","details":"When an application tells libcurl it wants to allow HTTP/2 server push, and\nthe amount of received headers for the push surpasses the maximum allowed\nlimit (1000), libcurl aborts the server push. When aborting, libcurl\ninadvertently does not free all the previously allocated headers and instead\nleaks the memory.\n\nFurther, this error condition fails silently and is therefore not easily\ndetected by an application.","aliases":["CVE-2024-2398"],"modified":"2026-04-25T20:22:35.505105Z","published":"2024-03-27T08:00:00Z","database_specific":{"last_affected":"8.6.0","www":"https://curl.se/docs/CVE-2024-2398.html","award":{"currency":"USD","amount":"2540"},"URL":"https://curl.se/docs/CVE-2024-2398.json","package":"curl","severity":"Medium","affects":"lib","CWE":{"desc":"Missing Release of Resource after Effective Lifetime","id":"CWE-772"},"issue":"https://hackerone.com/reports/2402845"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.44.0"},{"fixed":"8.7.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ea7134ac874a66107e54ff93657ac565cf2ec4aa"},{"fixed":"deca8039991886a559b67bcd6701db800a5cf764"}]}],"versions":["8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/deca8039991886a559b67bcd6701db800a5cf764","signature_type":"Function","signature_version":"v1","digest":{"function_hash":"57212166138629680836926936433862136724","length":2130},"id":"CURL-CVE-2024-2398-aee61dcf","target":{"file":"lib/http2.c","function":"push_promise"},"deprecated":false},{"source":"https://github.com/curl/curl.git/commit/deca8039991886a559b67bcd6701db800a5cf764","signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["7088876839149707156940895701661019823","336143788764753876999275281293239775588","6082853181056810224686031065394385322","270976838733411746067674104765652600829","225371423435535026862843596314237414150","57505098515047564594938639966552709516","188980441709706507119585030643922341976","327886802839139712985788540504956790912","138620575379375027735357726681903708879","188282122836455935944869724469526968033","321754076209565714753324910553718859459","338614796633464526555639453300406501569","208823856354875908745721566681387375313","143227661570209865307835747718773434905","300925804325539444622465875223855410426","244357795932871989282825808473185839149","99753946856422809656860280156402198753","322232753456803974559312122811319767491","121271027958774049640811886054027657974","105733410859346155439400113244254971286","235517509628517051559324330194044246509","164911828945627539710988336893751924409","281297570365010563263791868360670733302","89508804383524495319258655884027712416","167276147733487007400289371348312927040","175794152504679294155718593642097298258","176622718669801264481597057903406847218","196073321927650370159630826797438134530","298916521300893585095270409115501063707","59677880640376856438629282196440026807","147719648327330110958781048679152969966","314437254144341254009061810959688164635","85847464617368338446780390074902579127","259017224466225210694194048863577780531","189400063681863625734874451675917799519","283326224611957434999905965169584210307"],"threshold":0.9},"id":"CURL-CVE-2024-2398-d6c4802d","target":{"file":"lib/http2.c"},"deprecated":false},{"source":"https://github.com/curl/curl.git/commit/deca8039991886a559b67bcd6701db800a5cf764","signature_type":"Function","signature_version":"v1","digest":{"function_hash":"164048778896218230066850293748599299292","length":1000},"id":"CURL-CVE-2024-2398-d7c89e74","target":{"file":"lib/http2.c","function":"http2_data_done"},"deprecated":false},{"source":"https://github.com/curl/curl.git/commit/deca8039991886a559b67bcd6701db800a5cf764","signature_type":"Function","signature_version":"v1","digest":{"function_hash":"202121698874621003664693905132348120233","length":3943},"id":"CURL-CVE-2024-2398-e7561d79","target":{"file":"lib/http2.c","function":"on_header"},"deprecated":false}],"source":"https://curl.se/docs/CURL-CVE-2024-2398.json","vanir_signatures_modified":"2026-04-25T20:22:35Z"}}],"schema_version":"1.7.5","credits":[{"name":"w0x42 on hackerone","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}