CVE-2024-7264 Overview
CVE-2024-7264 is an out-of-bounds read vulnerability in libcurl's ASN.1 parser, specifically within the GTime2str() function used to parse ASN.1 Generalized Time fields. When supplied with a syntactically incorrect time field, the parser can compute a length value of -1 for the time fraction component. This miscalculation causes strlen() to operate on a non-null-terminated heap buffer, reading past the intended boundary [CWE-125].
The flaw typically results in a process crash. When applications use the CURLINFO_CERTINFO option, the bug can also return adjacent heap contents to the application, exposing potentially sensitive in-process data.
Critical Impact
Attackers controlling a server's TLS certificate can trigger crashes or leak heap memory contents to libcurl-based clients that retrieve certificate information.
Affected Products
- Haxx libcurl (versions prior to the fix in commit 27959ec)
- NetApp products incorporating affected libcurl versions (see NetApp advisories NTAP-20240828-0008, NTAP-20241025-0006, NTAP-20241025-0010)
- Applications and distributions that link against vulnerable libcurl builds
Discovery Timeline
- 2024-07-31 - CVE-2024-7264 published to NVD by the cURL project
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-7264
Vulnerability Analysis
The vulnerability resides in Curl_x509_GTime2str() within lib/vtls/x509asn1.c. The function parses ASN.1 Generalized Time strings, which optionally contain a fractional seconds component introduced by . or ,.
When the parser encounters a fractional component, it advances a pointer past the separator and scans for digits. The original code computed the fractional length as tzp - fracp - 1, which underflows to -1 (interpreted as a large unsigned value) when the separator is present but no digits follow. The function later passes this length to routines that invoke strlen() on the heap pointer, walking beyond the allocated buffer until a null byte is encountered.
Root Cause
The defect is an off-by-one error in pointer arithmetic combined with insufficient validation of the digit scan result. Because fracp was advanced before the digit check, subtracting an additional 1 produced a negative length when zero digits were present. The fix repositions the pointer assignment and removes the spurious subtraction.
Attack Vector
Exploitation requires a libcurl client to process a malformed X.509 certificate. An attacker who controls a TLS server, a man-in-the-middle position, or any source of certificates passed to libcurl can deliver a certificate containing a malformed Generalized Time field. The attack vector is network-based with low complexity, but user interaction is required to initiate the connection.
// Source: https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519
// Patch in lib/vtls/x509asn1.c — fix for GTime2str() length calculation
fracl = 0; /* no fractional seconds detected so far */
if(fracp < end && (*fracp == '.' || *fracp == ',')) {
/* Have fractional seconds, e.g. "[.,]\d+". How many? */
- tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
+ fracp++; /* should be a digit char or BAD ARGUMENT */
+ tzp = fracp;
while(tzp < end && ISDIGIT(*tzp))
tzp++;
if(tzp == fracp) /* never looped, no digit after [.,] */
return CURLE_BAD_FUNCTION_ARGUMENT;
- fracl = tzp - fracp - 1; /* number of fractional sec digits */
+ fracl = tzp - fracp; /* number of fractional sec digits */
DEBUGASSERT(fracl > 0);
The patch reorders pointer assignment so tzp references the first digit position, then computes the fractional digit count without the off-by-one subtraction. See the cURL CVE-2024-7264 Documentation for the complete advisory.
Detection Methods for CVE-2024-7264
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes that invoke libcurl with CURLINFO_CERTINFO enabled
- Application logs showing CURLE_BAD_FUNCTION_ARGUMENT (error 43) or abnormal termination during TLS handshakes
- TLS connections to untrusted endpoints returning malformed X.509 certificate fields
Detection Strategies
- Inventory libcurl versions across endpoints and servers using software composition analysis (SCA) tools to identify builds prior to the 27959ec fix
- Inspect application source for calls to curl_easy_getinfo() with CURLINFO_CERTINFO, which expose the heap-read path
- Run fuzz tests against ASN.1 Generalized Time parsing in TLS-enabled applications to surface latent crashes
Monitoring Recommendations
- Monitor crash telemetry and core dumps from applications that perform TLS certificate inspection
- Alert on repeated TLS handshake failures correlated with specific remote endpoints
- Track NetApp and distribution advisories (NTAP-20240828-0008, NTAP-20241025-0006, NTAP-20241025-0010) for product-specific patch availability
How to Mitigate CVE-2024-7264
Immediate Actions Required
- Upgrade libcurl to a version containing commit 27959ec or later
- Identify all statically and dynamically linked consumers of libcurl, including bundled application binaries and container images
- Apply vendor patches from downstream distributors and NetApp for impacted appliance products
Patch Information
The upstream fix is committed in the cURL repository at GitHub cURL Commit 27959ec. The patch corrects the GTime2str() length arithmetic and adds unit tests via unit1656.c. Refer to the cURL CVE-2024-7264 Documentation for affected version ranges and the HackerOne Report #2629968 for disclosure details.
Workarounds
- Avoid using CURLINFO_CERTINFO in applications until libcurl is patched, which eliminates the heap content disclosure path
- Restrict libcurl-based clients to trusted TLS endpoints to reduce exposure to attacker-supplied certificates
- Where feasible, perform certificate inspection in a sandboxed or isolated process to contain crash impact
# Verify the installed libcurl version and confirm patch level
curl --version
# Example: rebuild against patched source
git clone https://github.com/curl/curl.git
cd curl
git checkout 27959ec
autoreconf -fi && ./configure && make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

