CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Published: Mar 27, 2024
Updated: Jul 31, 2025
CVE: CVE-2024-2398
Exploit:

No technical information available.

CWEs:

CWE-772

Affected Software
References

Software	From	Fixed in
haxx / curl	7.44.0	8.7.0
apple / macos	-	12.7.6
apple / macos	14.0	14.6
apple / macos	13.0	13.6.8
fedoraproject / fedora	39	39.x
fedoraproject / fedora	40	40.x

http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/3
https://curl.se/docs/CVE-2024-2398.html
https://curl.se/docs/CVE-2024-2398.json
https://hackerone.com/reports/2402845
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
https://security.netapp.com/advisory/ntap-20240503-0009/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120

Vulnerability Database

CVE-2024-2398