CVE-2021-22901 Overview
CVE-2021-22901 is a use-after-free vulnerability affecting curl versions 7.75.0 through 7.76.1. The flaw exists in how libcurl handles TLS 1.3 session tickets when using OpenSSL. When a TLS 1.3 session ticket arrives over a connection that has been reused by multiple transfers, the library may access memory that has already been freed. This occurs because libcurl stores pointers to transfer in-memory objects for later retrieval when session tickets arrive, but these objects may be freed before the new session is established on a multiplexed or reused connection.
A malicious server could potentially exploit this vulnerability under rare circumstances to achieve remote code execution in the client application. The vulnerability is particularly concerning because libcurl might call a function pointer stored in the freed object, enabling arbitrary code execution if an attacker can control the memory contents at the freed location.
Critical Impact
Remote code execution possible on client systems when connecting to malicious TLS 1.3 servers via curl/libcurl with OpenSSL backend on reused or multiplexed connections.
Affected Products
- Haxx curl 7.75.0 through 7.76.1
- Oracle Communications Cloud Native Core (multiple components including Binding Support Function, Network Repository Function, Service Communication Proxy)
- Oracle MySQL Server
- Oracle Essbase
- NetApp Active IQ Unified Manager, Cloud Backup, OnCommand Insight, SnapCenter
- NetApp HCI and SolidFire hardware/firmware components
- Siemens SINEC Infrastructure Network Services
- Splunk Universal Forwarder
Discovery Timeline
- 2021-06-11 - CVE-2021-22901 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22901
Vulnerability Analysis
This vulnerability represents a classic use-after-free memory corruption issue within libcurl's TLS session handling code. The flaw manifests when libcurl configures TLS 1.3 session ticket support using the OpenSSL backend. During this process, libcurl stores pointers to the current transfer's in-memory data structure for later use when session tickets arrive from the server.
The vulnerability is triggered in scenarios involving connection reuse—specifically with HTTP/1.1 connection reuse or HTTP/2 multiplexing. In these configurations, multiple transfers may share the same underlying TLS connection. If the first transfer object is freed while the connection remains active and a subsequent session ticket arrives, the callback function attempts to access the now-freed memory. This can lead to information disclosure, application crashes, or in worst-case scenarios where an attacker controls the freed memory contents, remote code execution.
Root Cause
The root cause lies in improper lifecycle management of transfer-to-connection associations in libcurl's OpenSSL integration layer. When a transfer completes and its associated Curl_easy data structure is freed, the connection's reference to this structure was not being properly invalidated. The OpenSSL session ticket callback retained a stale pointer to the freed transfer object.
The fix introduces proper detachment logic via Curl_ssl_detach_conn() that ensures SSL-specific state is cleaned up when a transfer is detached from a connection, preventing the callback from accessing freed memory.
Attack Vector
Exploitation requires a network-based attack where a malicious TLS 1.3 server sends specially crafted session tickets. The attack scenario involves:
- A client application using vulnerable curl/libcurl connects to an attacker-controlled server
- The connection is reused or multiplexed across multiple transfers
- The initial transfer completes and its memory is freed
- The attacker's server sends a TLS 1.3 session ticket
- libcurl's callback accesses the freed memory, potentially executing attacker-controlled code
The following patch from the official curl repository demonstrates the fix applied to lib/multi.c:
void Curl_detach_connnection(struct Curl_easy *data)
{
struct connectdata *conn = data->conn;
- if(conn)
+ if(conn) {
Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL);
+ Curl_ssl_detach_conn(data, conn);
+ }
data->conn = NULL;
}
Source: GitHub curl Commit 7f4a9a9
The corresponding changes to SSL backend implementations add new callback hooks for proper association/disassociation:
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
Curl_none_false_start, /* false_start */
- NULL /* sha256sum */
+ NULL, /* sha256sum */
+ NULL, /* associate_connection */
+ NULL /* disassociate_connection */
};
Source: GitHub curl Commit 7f4a9a9
Detection Methods for CVE-2021-22901
Indicators of Compromise
- Unexpected crashes in applications using libcurl when connecting to external TLS 1.3 servers
- Memory corruption errors or segmentation faults in curl-based processes after TLS session establishment
- Suspicious outbound connections to unknown TLS 1.3 endpoints from affected systems
Detection Strategies
- Monitor for crashes in curl-dependent processes with stack traces involving Curl_ssl or OpenSSL session callback functions
- Inventory all systems running curl versions 7.75.0 through 7.76.1 with OpenSSL TLS backend
- Deploy memory safety monitoring tools (AddressSanitizer, Valgrind) in development and testing environments to detect use-after-free conditions
- Review application logs for TLS handshake failures or unexpected session ticket processing events
Monitoring Recommendations
- Implement network monitoring for unusual TLS 1.3 session ticket patterns from external servers
- Deploy endpoint detection rules for memory corruption exploitation attempts in curl processes
- Establish baseline network behavior for curl-based applications to identify anomalous TLS connection patterns
- Configure SentinelOne Singularity platform to monitor for exploitation attempts targeting memory corruption vulnerabilities in network utilities
How to Mitigate CVE-2021-22901
Immediate Actions Required
- Upgrade curl to version 7.77.0 or later immediately across all affected systems
- Audit all applications and services that bundle or depend on libcurl versions 7.75.0-7.76.1
- If immediate patching is not possible, consider disabling TLS 1.3 session tickets as a temporary workaround
- Review Oracle, NetApp, Siemens, and Splunk security advisories for vendor-specific patch guidance
Patch Information
The vulnerability has been addressed in curl version 7.77.0 and later. The fix implements proper detachment of transfer objects from SSL connections, ensuring session ticket callbacks do not access freed memory. Organizations should reference the following vendor resources for specific patch information:
- Official curl CVE-2021-22901 Documentation
- Oracle July 2021 Security Alerts
- Oracle January 2022 Security Alerts
- Oracle April 2022 Security Alerts
- NetApp Security Advisory NTAP-20210723-0001
- Siemens Security Advisory SSA-389290
Workarounds
- Disable TLS 1.3 session ticket support by setting CURLOPT_SSL_OPTIONS with CURLSSLOPT_NO_SESSIONID_CACHE where applicable
- Avoid connection reuse in critical applications by setting CURLOPT_FRESH_CONNECT and CURLOPT_FORBID_REUSE options
- Limit connections to trusted TLS servers only until patching is complete
- Consider using curl with alternative TLS backends (e.g., GnuTLS, NSS) that are not affected by this specific vulnerability
# Verify installed curl version
curl --version
# Check if curl is compiled with OpenSSL (affected backend)
curl --version | grep -i openssl
# Upgrade curl on Debian/Ubuntu systems
sudo apt-get update && sudo apt-get install --only-upgrade curl libcurl4
# Upgrade curl on RHEL/CentOS systems
sudo yum update curl libcurl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
