CVE-2024-2398: HTTP/2 push headers memory-leak
First published: Wed Mar 20 2024(Updated: )
Accounts. The issue was addressed with improved checks.
Credit: 2499f714-1537-4658-8207-48ae4bb9eae9 CVE-2024-2004 CVE-2024-2379 CVE-2024-2398 CVE-2024-2466 Csaba Fitzl @theevilbit KandjiMinghao Lin Baidu Security Baidu SecurityYe Zhang @VAR10CK Baidu SecurityMickey Jin @patch1t Michael DePlante @izobashi Trend Micro Zero Day InitiativeD4m0n Amir Bazine CrowdStrike Counter Adversary OperationsKarsten König CrowdStrike Counter Adversary Operationsan anonymous researcher CVE-2023-6277 CVE-2023-52356 Yisumi sqrtpwn Minghao Lin Zhejiang UniversityJiaxun Zhu Zhejiang UniversityPatrick Wardle DoubleYouAdam M. CVE-2024-6387 Zhongquan Li @Guluisacat Dawn Security Lab of JingDongClaudio Bozzato Cisco TalosFrancesco Benvenuto Cisco TalosCVE-2024-23296 Yadhu Krishna M Cyber Security At Suma Soft PvtNarendra Bhati Cyber Security At Suma Soft PvtManager Cyber Security At Suma Soft PvtPune (India) Kirin @Pwnrin Joshua Jones Marcio Almeida Tanto SecurityJiahui Hu (梅零落) NorthSeaMeng Zhang (鲸落) NorthSeaMatthew Loewen Yann Gascuel Alter Solutionsw0wbox Junsung Lee Trend Micro Zero Day Initiative CrowdStrike Counter Adversary OperationsGandalf4a CertiK SkyFall Team CVE-2024-40805 Rodolphe BRUNETTI @eisw0lf Mickey Jin @patch1t Kandji KandjiMateen Alinaghi Csaba Fitzl @theevilbit Offensive SecurityWojciech Regula SecuRing Dawn Security Lab of JingDongJiwon Park Bistrit Dahal Srijan Poudel Arsenii Kostromin (0x3c3e) Huang Xilin Ant Group LightMaksymilian Motyl Johan Carlsson (joaxcar) Seunghyun Lee @0x10n KAIST Hacking Lab working with Trend Micro Zero Day InitiativeCVE-2024-4558 Matthew Butler Gary Kwong Andreas Jaegersberger Ro Achterberg IES Red Team ByteDanceYeto Abhay Kailasia @abhay_kailasia Lakshmi Narain College of Technology Bhopal India
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple macOS Monterey | <12.7.6 | 12.7.6 |
| debian/curl | <=7.74.0-1.3+deb11u11<=7.88.1-10+deb12u5 | 7.74.0-1.3+deb11u13 7.88.1-10+deb12u7 8.10.1-2 |
| redhat/curl | <8.7.0 | 8.7.0 |
| Apple macOS | <14.6 | 14.6 |
| Apple macOS | <13.6.8 | 13.6.8 |
| IBM Cognos Dashboards | <=5.0.0 | |
| IBM Cognos Dashboards | <=4.8.0 | |
| <12.7.6 | 12.7.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
- https://hackerone.com/reports/2402845
- https://curl.se/docs/CVE-2024-2398.json
- https://curl.se/docs/CVE-2024-2398.html
- https://security.netapp.com/advisory/ntap-20240503-0009/
- http://www.openwall.com/lists/oss-security/2024/03/27/3
- https://launchpad.net/bugs/cve/CVE-2024-2398
- http://seclists.org/fulldisclosure/2024/Jul/18
- http://seclists.org/fulldisclosure/2024/Jul/19
- http://seclists.org/fulldisclosure/2024/Jul/20
- https://support.apple.com/kb/HT214118
- https://support.apple.com/kb/HT214119
- https://support.apple.com/kb/HT214120
- https://support.apple.com/en-us/HT214118 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398
- https://nvd.nist.gov/vuln/detail/CVE-2024-2398
- https://security-tracker.debian.org/tracker/CVE-2024-2398
- https://ubuntu.com/security/CVE-2024-2398
- https://github.com/curl/curl/commit/ea7134ac874a66107e54ff93657ac565cf2ec4aa
- https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764
- https://github.com/curl/curl/commit/deca8039991886a559b67bcd6
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2271824
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2271825
- https://access.redhat.com/errata/RHSA-2024:2694
- https://access.redhat.com/errata/RHSA-2024:2693
- https://access.redhat.com/errata/RHSA-2024:3998
- https://access.redhat.com/errata/RHSA-2024:5529
- https://access.redhat.com/errata/RHSA-2024:5654
- https://access.redhat.com/errata/RHSA-2024:7213
- https://access.redhat.com/errata/RHSA-2024:7374
- https://bugzilla.redhat.com/show_bug.cgi?id=2270498
- https://support.apple.com/en-us/HT214119 (Advisory)
- https://support.apple.com/en-us/HT214120 (Advisory)
- https://www.ibm.com/support/pages/node/7177766 (Advisory)
- https://support.apple.com/en-us/120910 (Advisory)
- https://support.apple.com/en-us/120911 (Advisory)
- https://support.apple.com/en-us/120912 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2024-40783
- CVE-2024-27826
- CVE-2024-40775
- CVE-2024-40774
- CVE-2024-27877
- CVE-2024-40799
- CVE-2024-27873
- CVE-2024-2004
- CVE-2024-2379
- CVE-2024-2398
- CVE-2024-2466
- CVE-2024-40827
- CVE-2024-40828
- CVE-2023-6277
- CVE-2023-52356
- CVE-2024-40806
- CVE-2024-40816
- CVE-2024-40788
- CVE-2024-40803
- CVE-2024-40796
- CVE-2024-6387
- CVE-2024-40781
- CVE-2024-40802
- CVE-2024-40823
- CVE-2024-27882
- CVE-2024-27883
- CVE-2024-40800
- CVE-2024-23296
- CVE-2024-40817
- CVE-2024-27881
- CVE-2024-40821
- CVE-2024-40798
- CVE-2024-40833
- CVE-2024-40835
- CVE-2024-40807
- CVE-2024-40834
- CVE-2024-40787
- CVE-2024-40793
- CVE-2024-40809
- CVE-2024-40812
- CVE-2024-23261
- CVE-2024-40804
- CVE-2023-38709
- CVE-2024-24795
- CVE-2024-27316
- CVE-2024-40814
- CVE-2024-27878
- CVE-2024-40815
- CVE-2024-40795
- CVE-2024-40777
- CVE-2024-40784
- CVE-2024-27863
- CVE-2024-40805
- CVE-2024-40832
- CVE-2024-40778
- CVE-2023-27952
- CVE-2024-40824
- CVE-2024-27871
- CVE-2024-27872
- CVE-2024-27862
- CVE-2024-40836
- CVE-2024-40818
- CVE-2024-40822
- CVE-2024-40811
- CVE-2024-40776
- CVE-2024-40782
- CVE-2024-40779
- CVE-2024-40780
- CVE-2024-40785
- CVE-2024-40789
- CVE-2024-4558
- CVE-2024-40794
- CVE-2024-40786
- CVE-2024-40829
- CVE-2024-44205
- CVE-2024-44306
- CVE-2024-44307
- CVE-2024-44141
- CVE-2024-40810
- CVE-2024-44185
- CVE-2024-44206
Frequently Asked Questions
What is the severity of CVE-2024-2398?
CVE-2024-2398 is classified as a denial of service vulnerability with a medium severity due to its potential for causing system instability.
How do I fix CVE-2024-2398?
To fix CVE-2024-2398, update to the patched versions of cURL as specified by the respective vendors.
What systems are affected by CVE-2024-2398?
CVE-2024-2398 affects multiple versions of cURL on various platforms including macOS Monterey, macOS Ventura, macOS Sonoma, and IBM Cognos Dashboards.
What type of attack does CVE-2024-2398 allow?
CVE-2024-2398 allows a remote attacker to exploit a memory leak vulnerability through specially crafted HTTP/2 PUSH_PROMISE frames.
Can CVE-2024-2398 cause data loss?
While CVE-2024-2398 primarily causes a denial of service condition, it does not directly lead to data loss but may impact availability.
- agent/title
- agent/type
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-2398
- agent/remedy
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- collector/apple-support
- source/Apple
- alias/CVE-2024-2379
- alias/CVE-2024-2466
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- agent/source
- agent/software-canonical-lookup-request
- collector/ibm-support
- source/IBM
- agent/tags
- alias/CVE-2024-27826
- alias/CVE-2024-40775
- alias/CVE-2024-40774
- alias/CVE-2024-27877
- alias/CVE-2024-40799
- alias/CVE-2024-27873
- alias/CVE-2024-2004
- alias/CVE-2024-40827
- alias/CVE-2024-40828
- alias/CVE-2023-6277
- alias/CVE-2023-52356
- alias/CVE-2024-40806
- alias/CVE-2024-40816
- alias/CVE-2024-40788
- alias/CVE-2024-40803
- alias/CVE-2024-40796
- alias/CVE-2024-6387
- alias/CVE-2024-40781
- alias/CVE-2024-40802
- alias/CVE-2024-40823
- alias/CVE-2024-27882
- alias/CVE-2024-27883
- alias/CVE-2024-40800
- alias/CVE-2024-23296
- alias/CVE-2024-40817
- alias/CVE-2024-27881
- alias/CVE-2024-40821
- alias/CVE-2024-40798
- alias/CVE-2024-40833
- alias/CVE-2024-40835
- alias/CVE-2024-40807
- alias/CVE-2024-40834
- alias/CVE-2024-40787
- alias/CVE-2024-40793
- alias/CVE-2024-40809
- alias/CVE-2024-40812
- alias/CVE-2024-44205
- alias/CVE-2024-23261
- alias/CVE-2024-44141
- alias/CVE-2024-40815
- alias/CVE-2024-40795
- alias/CVE-2024-40777
- alias/CVE-2024-40784
- alias/CVE-2024-40810
- alias/CVE-2024-27863
- alias/CVE-2024-40805
- alias/CVE-2024-40832
- alias/CVE-2024-40778
- alias/CVE-2023-27952
- alias/CVE-2024-40824
- alias/CVE-2024-27871
- alias/CVE-2024-27872
- alias/CVE-2024-27862
- alias/CVE-2024-40836
- alias/CVE-2024-40818
- alias/CVE-2024-40822
- alias/CVE-2024-40811
- alias/CVE-2024-40776
- alias/CVE-2024-40782
- alias/CVE-2024-40779
- alias/CVE-2024-40780
- alias/CVE-2024-40785
- alias/CVE-2024-40789
- alias/CVE-2024-4558
- alias/CVE-2024-40794
- alias/CVE-2024-44185
- alias/CVE-2024-44206
- alias/CVE-2023-38709
- alias/CVE-2024-24795
- alias/CVE-2024-27316
- alias/CVE-2024-40783
- alias/CVE-2024-40814
- alias/CVE-2024-27878
- alias/CVE-2024-44306
- alias/CVE-2024-44307
- alias/CVE-2024-40786
- alias/CVE-2024-40829
- agent/event
- agent/softwarecombine
- agent/description
- agent/weakness
- agent/references
- agent/author
- vendor/apple
- canonical/apple macos monterey
- package-manager/debian
- package-manager/redhat
- canonical/apple macos
- vendor/ibm
- canonical/ibm cognos dashboards
- version/ibm cognos dashboards/5.0.0
- version/ibm cognos dashboards/4.8.0