{"id":"CURL-CVE-2024-6197","summary":"freeing stack buffer in utf8asn1str","details":"libcurl's ASN1 parser has this `utf8asn1str()` function used for parsing an\nASN.1 UTF-8 string. It can detect an invalid field and return error.\nUnfortunately, when doing so it also invokes `free()` on a 4 byte local stack\nbuffer.\n\nMost modern malloc implementations detect this error and immediately abort.\nSome however accept the input pointer and add that memory to its list of\navailable chunks. This leads to the overwriting of nearby stack memory. The\ncontent of the overwrite is decided by the `free()` implementation; likely to\nbe memory pointers and a set of flags.\n\nThe most likely outcome of exploiting this flaw is a crash, although it cannot\nbe ruled out that more serious results can be had in special circumstances.","aliases":["CVE-2024-6197"],"modified":"2026-04-25T20:22:28.815305Z","published":"2024-07-24T08:00:00Z","database_specific":{"affects":"both","www":"https://curl.se/docs/CVE-2024-6197.html","package":"curl","last_affected":"8.8.0","CWE":{"desc":"Free of Memory not on the Heap","id":"CWE-590"},"URL":"https://curl.se/docs/CVE-2024-6197.json","severity":"Medium","issue":"https://hackerone.com/reports/2559516","award":{"currency":"USD","amount":"2540"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.6.0"},{"fixed":"8.9.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"623c3a8fa0bdb2751f14b3741760d81910b7ec64"},{"fixed":"3a537a4db9e65e545ec45b1b5d5575ee09a2569d"}]}],"versions":["8.8.0","8.7.1","8.7.0","8.6.0"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:22:28Z","source":"https://curl.se/docs/CURL-CVE-2024-6197.json","vanir_signatures":[{"id":"CURL-CVE-2024-6197-30fe796b","target":{"function":"utf8asn1str","file":"lib/vtls/x509asn1.c"},"source":"https://github.com/curl/curl.git/commit/3a537a4db9e65e545ec45b1b5d5575ee09a2569d","digest":{"length":1635,"function_hash":"93029967338058506930174009721303081412"},"deprecated":false,"signature_version":"v1","signature_type":"Function"},{"id":"CURL-CVE-2024-6197-c8706841","target":{"file":"lib/vtls/x509asn1.c"},"source":"https://github.com/curl/curl.git/commit/3a537a4db9e65e545ec45b1b5d5575ee09a2569d","digest":{"threshold":0.9,"line_hashes":["51958416006947950476431544216547178666","299273009271053043586874986129068299942","184994429828236905684305584888099753146","26791432400550624243581513650400640798"]},"deprecated":false,"signature_version":"v1","signature_type":"Line"}]}}],"schema_version":"1.7.5","credits":[{"name":"z2_","type":"FINDER"},{"name":"z2_","type":"REMEDIATION_DEVELOPER"}]}