CVE-2024-7264

Published: Jul 31, 2024

Modified: Nov 3, 2025

PUBLISHED

Description

libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.

Vendor	Product	Versions
curl	curl	affected `8.9.0 - <= 8.9.0` affected `8.8.0 - <= 8.8.0` affected `8.7.1 - <= 8.7.1` affected `8.7.0 - <= 8.7.0` affected `8.6.0 - <= 8.6.0` +90 more versions

References

json

www

issue

http://www.openwall.com/lists/oss-security/2024/07/31/1

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-7264

Description

Affected Products

References