{"id":"CVE-2021-22901","details":"curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.","aliases":["CURL-CVE-2021-22901"],"modified":"2026-04-11T13:53:49.825645Z","published":"2021-06-11T16:15:11.120Z","related":["openSUSE-SU-2024:10582-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210723-0001/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210727-0007/"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf"},{"type":"REPORT","url":"https://hackerone.com/reports/1180380"},{"type":"FIX","url":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://curl.se/docs/CVE-2021-22901.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"2f33be817cbce6ad7a36f27dd7ada9219f13584c"},{"last_affected":"566b74a0e19b9aa610f4931e5bfd339bcf8e9147"},{"fixed":"7f4a9a9b2a49547eae24d2e19bc5c346e9026479"}],"database_specific":{"versions":[{"introduced":"7.75.0"},{"last_affected":"7.76.1"}]}},{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"0"},{"last_affected":"a9b0c712de3509d8d08d3ba385d41a4df6348775"},{"introduced":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"98b2ccb470de120d36bc4a623c814cdfded958ec"},{"introduced":"0"},{"last_affected":"61a3a1d8ef15512396b4c2af46e922a19bf2b174"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.7.34"},{"introduced":"8.0.0"},{"last_affected":"8.0.25"},{"introduced":"0"},{"last_affected":"9.1.0"}]}}],"versions":["curl-7_75_0","curl-7_76_0","curl-7_76_1","mysql-3.23.22-beta","mysql-3.23.28-gamma","mysql-3.23.30-gamma","mysql-3.23.31","mysql-3.23.32","mysql-3.23.33","mysql-3.23.36","mysql-4.0.2","mysql-4.0.4","mysql-5.1.4","mysql-5.7.31","mysql-5.7.32","mysql-5.7.34","mysql-8.0.24","mysql-8.0.25","mysql-9.0.0-release","mysql-9.1.0","mysql-cluster-8.0.24","mysql-cluster-8.0.25","mysql-cluster-9.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22901.json","vanir_signatures":[{"id":"CVE-2021-22901-112b40cc","target":{"file":"lib/vtls/gskit.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["186219220524685466747730293319960369262","221885776772179948375588984335771599016","242092821167957799341998848306994961622"]},"deprecated":false},{"id":"CVE-2021-22901-16afe490","target":{"file":"lib/vtls/wolfssl.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["105711553773464346414647333756716138062","2904185772424648690614208022438633360","28943486962530006695741710418216306715"]},"deprecated":false},{"id":"CVE-2021-22901-1a7f75ad","target":{"file":"lib/multi.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["187473753366580240819143889369803023555","19947501796357691300854331411987220613","95654700292215788056874075044093236670","54945258926373500052511413367380796929","50910872226802818269537850369166031572","58240838674613881414058697592076492097","327008296953905714942243329393832476807","167690107269592290756581100018194607341","163502143684354781220170101016683290242"]},"deprecated":false},{"id":"CVE-2021-22901-1dc33ea9","target":{"file":"lib/multi.c","function":"Curl_detach_connnection"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Function","digest":{"length":159,"function_hash":"282527232010509207256326083520762769034"},"deprecated":false},{"id":"CVE-2021-22901-29a281cb","target":{"file":"lib/vtls/mesalink.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["186219220524685466747730293319960369262","221885776772179948375588984335771599016","118420185482035953781785408918051443343"]},"deprecated":false},{"id":"CVE-2021-22901-5ed26d1d","target":{"file":"lib/vtls/openssl.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["73271168870267222109289255326453829008","73827907696276383707622611301589291798","211530242407209078484329373388314723108","188779164379214942689248499697233465740","85386975455582097309536242192917050731","245081344340155641301320834143844850881","62153286337341876067281988598850343391","121669162297169078699046718566740458729","215298610020151475422509359025881665450","160496096879707273982560064615393928037","262253162330575483615990927020006884742","207030032140940270196392569482197400507","52196972406707744499516007337590729723","310848303797566296324889670751101086331","222593396967390567450172725704753887575","235691541654497677847954641653469180817","58633988980821724765059247018395199889","25447831337023957638041419169130371823","147075429205132582405216565002123595763","159239750700783782352173299703698057266","3437427716754797935132463652839023737","127087658280103561645782008847134409151","75199286429243154010508244248962936561","244921248497977065595362047332805878839","335526394393619798921303958949091926921","142148865309299820369778016046747186849","36343027810611685258758416187132301997","145703898883617860025281749174947940817","49821058802725643425531673427781409057","49678742140860501719462917258286975569","63202482301952805327802201198622534649","293181921711569263243064672048373818969","133900923489114446296021898851185466508","36777361632708934694797056998674843243","11177419630060475881010668020085817087","303422892470415582204293820830754579527","286083972253237306490318597426997081139","261079382685828178432555473902036016734","279260391187534534676049212163993726371","329627646565725648632430807782727645922","79194766196837938283253745097174225478","5571743488213546801408132267818404860","130049941606887403578626904489921224945","178097734931733945871273233063040427391","216425396822114078519857436547106591880","285542075915533030311331310894582100597","181108455092571060169513480302647763308","201208934546635710539200215230233609237","13409051224758349761312328379615738889","299473193568500530537773344539589740788","152017765307026313653490870096797999253"]},"deprecated":false},{"id":"CVE-2021-22901-b01c82f2","target":{"file":"lib/vtls/gtls.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["117254624900286043914446684036232897839","278148543623425240728153472164075251212","313428367765666149420051287200382297935"]},"deprecated":false},{"id":"CVE-2021-22901-b75e8d96","target":{"file":"lib/vtls/mbedtls.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["155031123524163536542363547886908076616","241564592740147399037087761500264710056","224236323127553732321566263121395653926"]},"deprecated":false},{"id":"CVE-2021-22901-b76d75f7","target":{"file":"lib/vtls/vtls.h"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["17479791198913112085959967000244748158","122978703432319367585527440563987283441","108255278866082812394702543602527323182","63147417521427190620024285144529305281","281873735472492112698195639167232268211","274123850254446799268534801426234867900","83722995015177457113170279222513998005"]},"deprecated":false},{"id":"CVE-2021-22901-bee48009","target":{"file":"lib/vtls/sectransp.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["93612680191468065498685381231912631392","172816224077672263565079124615633457341","316884559720800204945935234868905210031","293326983079720454113692492174647385498"]},"deprecated":false},{"id":"CVE-2021-22901-c3256b70","target":{"file":"lib/vtls/vtls.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["220881515393441035084801830498670033932","174542894043304738129105816634116784620","783098884639603181500321915206659113","186219220524685466747730293319960369262","221885776772179948375588984335771599016","72703555703531540869677605507512220101","227890448358690435620343229236177822739"]},"deprecated":false},{"id":"CVE-2021-22901-c729b6cb","target":{"file":"lib/vtls/nss.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["89438604099976147155922991379116780231","152200389674360309942177538872971541530","36458605533992043066698451277391902613"]},"deprecated":false},{"id":"CVE-2021-22901-deb6cd76","target":{"file":"lib/vtls/openssl.c","function":"ossl_connect_step1"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Function","digest":{"length":14664,"function_hash":"308421803234990224094444390237334411602"},"deprecated":false},{"id":"CVE-2021-22901-e0ea5594","target":{"file":"lib/vtls/schannel.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["222480428048420087676105947998287034698","1791862209004315891931085883200233347","335032092301468568357198521291765970795","163498262204948760416787486037998488372","86790545262539225571869431646476558833","102446219944222485332424481391822647475","301150589919494327216392615030845277105"]},"deprecated":false},{"id":"CVE-2021-22901-e28697f3","target":{"file":"lib/vtls/rustls.c"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["186219220524685466747730293319960369262","221885776772179948375588984335771599016","331942912995982428602909187462272364537"]},"deprecated":false},{"id":"CVE-2021-22901-f263bc98","target":{"file":"lib/multi.c","function":"Curl_attach_connnection"},"source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","signature_version":"v1","signature_type":"Function","digest":{"length":299,"function_hash":"276203671696876119948010549383366377839"},"deprecated":false}],"vanir_signatures_modified":"2026-04-11T13:53:49Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.1.2.4.047"}]},{"events":[{"introduced":"21.0"},{"fixed":"21.3"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.1.1"}]},{"events":[{"introduced":"8.2.0"},{"fixed":"8.2.12"}]},{"events":[{"introduced":"9.0.0"},{"fixed":"9.0.6"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}