The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-32206

CVE-2022-32206: Haxx Curl DOS Vulnerability

CVE-2022-32206 is a denial of service flaw in Haxx Curl that allows malicious servers to trigger memory exhaustion through unbounded HTTP compression chains. This article covers technical details, affected versions, and mitigation.

Published: February 18, 2026

CVE-2022-32206 Overview

CVE-2022-32206 is a resource exhaustion vulnerability affecting curl versions prior to 7.84.0. The vulnerability exists in how curl handles "chained" HTTP compression algorithms, where a server response can be compressed multiple times using potentially different algorithms. Due to missing limits on the number of acceptable "links" in this decompression chain, a malicious server can insert a virtually unlimited number of compression steps. This can result in a "malloc bomb" where curl ends up allocating enormous amounts of heap memory or returning out-of-memory errors, leading to denial of service conditions.

Critical Impact

A malicious server can trigger excessive memory allocation in curl clients through unlimited compression chain expansion, causing denial of service through memory exhaustion.

Affected Products

  • Haxx curl versions prior to 7.84.0
  • Fedora 35
  • Debian Linux 10.0 and 11.0
  • NetApp Clustered Data ONTAP, Element Software, HCI Management Node, SolidFire
  • NetApp HCI Compute Node and Bootstrap OS
  • NetApp H300S, H500S, H700S, H410S and associated firmware
  • Siemens SCALANCE SC622-2C, SC626-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C and associated firmware
  • Splunk Universal Forwarder

Discovery Timeline

  • July 7, 2022 - CVE-2022-32206 published to NVD
  • May 5, 2025 - Last updated in NVD database

Technical Details for CVE-2022-32206

Vulnerability Analysis

This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw exists in curl's HTTP response decompression handling logic. When curl receives an HTTP response, it supports automatic decompression of compressed content. The protocol allows for multiple compression layers (chained compression), where each layer can use different compression algorithms such as gzip, deflate, or brotli.

The vulnerability allows a malicious server to exploit this feature by sending responses with an excessive number of compression layers. Without proper bounds checking on the decompression chain length, curl attempts to decompress all layers, allocating memory for each intermediate decompressed result. This can lead to exponential memory consumption as each decompression step may produce output larger than its input.

Root Cause

The root cause is the absence of a limit on the number of compression "links" that curl will process in a decompression chain. The code responsible for handling HTTP content encoding did not implement any bounds checking to prevent excessive chaining. This oversight allows an attacker-controlled server to dictate how many decompression operations curl performs, directly translating to unbounded memory allocation.

Attack Vector

The attack requires user interaction where a victim must connect to a malicious server using a vulnerable curl client. The malicious server responds with an HTTP response containing an extremely long chain of Content-Encoding headers. Each encoding layer in the chain causes curl to allocate additional heap memory for decompression buffers.

The attack works by constructing a response where each compression layer, when decompressed, yields data that appears to be another compressed layer. The decompression process continues recursively until system memory is exhausted or curl returns an out-of-memory error. This effectively creates a denial of service condition against the client application using curl.

Detection Methods for CVE-2022-32206

Indicators of Compromise

  • Unusual memory consumption spikes in processes utilizing curl library functions
  • HTTP responses with abnormally long or multiple Content-Encoding header chains
  • Out-of-memory errors in applications that use curl for HTTP client functionality
  • Process crashes or terminations due to memory allocation failures

Detection Strategies

  • Monitor for HTTP responses containing multiple chained Content-Encoding values from external servers
  • Implement memory usage monitoring for curl-dependent applications with alerting on abnormal growth patterns
  • Deploy network inspection rules to identify responses with excessive compression encoding chains
  • Review application logs for memory allocation failures or out-of-memory conditions in curl operations

Monitoring Recommendations

  • Establish baseline memory utilization for services using curl and alert on significant deviations
  • Configure network monitoring to inspect and flag HTTP responses with more than typical compression layers
  • Implement process-level memory limits using cgroups or similar mechanisms for curl-dependent services
  • Enable detailed logging for HTTP client operations to capture encoding header information

How to Mitigate CVE-2022-32206

Immediate Actions Required

  • Upgrade curl to version 7.84.0 or later where the decompression chain limit has been implemented
  • Review and update all systems and applications that bundle or depend on curl library
  • Apply vendor-specific patches for affected products including NetApp, Siemens, and Splunk software
  • Implement network-level filtering to limit or inspect HTTP Content-Encoding headers from untrusted sources

Patch Information

The vulnerability has been addressed in curl version 7.84.0 and later, which implements proper limits on the HTTP compression decompression chain. Multiple vendors have released security advisories and patches for affected products. For detailed patch information, refer to the Siemens Security Advisory SSA-333517, NetApp Security Advisory ntap-20220915-0003, Debian Security Advisory DSA-5197, and Gentoo Security Advisory GLSA 2022-12-01. Additional information can be found in the original HackerOne Report #1570651.

Workarounds

  • Configure network security devices to limit or block HTTP responses with excessive compression encoding layers
  • Implement application-level memory limits for processes using curl to prevent system-wide impact
  • Consider disabling automatic HTTP decompression in curl if not required for application functionality
  • Deploy proxy servers that normalize HTTP encoding headers before forwarding to internal clients
bash
# Check current curl version
curl --version

# Update curl on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade curl libcurl4

# Update curl on RHEL/CentOS systems
sudo yum update curl libcurl

# Update curl on Fedora systems
sudo dnf update curl libcurl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechHaxx Curl
  • SeverityMEDIUM
  • CVSS Score6.5
  • EPSS Probability4.55%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-770
  • Technical References
  • Full Disclosure October 28, 2022
  • Full Disclosure October 41, 2022
  • OpenWall OSS Security Post
  • HackerOne Report #1570651
  • Debian LTS Announcement August 2022
  • Fedora Package Announcement 2022
  • Gentoo GLSA 2022-12-01
  • NetApp Security Advisory ntap-20220915-0003
  • Apple Support Document HT213488
  • Debian Security DSA-5197
  • Vendor Resources
  • Siemens Security Advisory SSA-333517
  • Related CVEs
  • CVE-2024-2004: Haxx Curl DOS Vulnerability
  • CVE-2025-5399: Haxx Curl WebSocket DoS Vulnerability
  • CVE-2022-35252: Haxx Curl Cookie DOS Vulnerability
  • CVE-2022-32205: Haxx Curl Set-Cookie DOS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English