Skip to main content
CVE Vulnerability Database

CVE-2024-7264: Haxx Libcurl ASN.1 Parser DoS Vulnerability

CVE-2024-7264 is a denial of service flaw in Haxx Libcurl's ASN.1 Generalized Time parser that can cause crashes or expose heap contents. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2024-7264 Overview

CVE-2024-7264 is an out-of-bounds read vulnerability in libcurl's ASN.1 parser, specifically within the GTime2str() function used to parse ASN.1 Generalized Time fields. When supplied with a syntactically incorrect time field, the parser can compute a length value of -1 for the time fraction component. This miscalculation causes strlen() to operate on a non-null-terminated heap buffer, reading past the intended boundary [CWE-125].

The flaw typically results in a process crash. When applications use the CURLINFO_CERTINFO option, the bug can also return adjacent heap contents to the application, exposing potentially sensitive in-process data.

Critical Impact

Attackers controlling a server's TLS certificate can trigger crashes or leak heap memory contents to libcurl-based clients that retrieve certificate information.

Affected Products

  • Haxx libcurl (versions prior to the fix in commit 27959ec)
  • NetApp products incorporating affected libcurl versions (see NetApp advisories NTAP-20240828-0008, NTAP-20241025-0006, NTAP-20241025-0010)
  • Applications and distributions that link against vulnerable libcurl builds

Discovery Timeline

  • 2024-07-31 - CVE-2024-7264 published to NVD by the cURL project
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-7264

Vulnerability Analysis

The vulnerability resides in Curl_x509_GTime2str() within lib/vtls/x509asn1.c. The function parses ASN.1 Generalized Time strings, which optionally contain a fractional seconds component introduced by . or ,.

When the parser encounters a fractional component, it advances a pointer past the separator and scans for digits. The original code computed the fractional length as tzp - fracp - 1, which underflows to -1 (interpreted as a large unsigned value) when the separator is present but no digits follow. The function later passes this length to routines that invoke strlen() on the heap pointer, walking beyond the allocated buffer until a null byte is encountered.

Root Cause

The defect is an off-by-one error in pointer arithmetic combined with insufficient validation of the digit scan result. Because fracp was advanced before the digit check, subtracting an additional 1 produced a negative length when zero digits were present. The fix repositions the pointer assignment and removes the spurious subtraction.

Attack Vector

Exploitation requires a libcurl client to process a malformed X.509 certificate. An attacker who controls a TLS server, a man-in-the-middle position, or any source of certificates passed to libcurl can deliver a certificate containing a malformed Generalized Time field. The attack vector is network-based with low complexity, but user interaction is required to initiate the connection.

c
// Source: https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519
// Patch in lib/vtls/x509asn1.c — fix for GTime2str() length calculation
  fracl = 0; /* no fractional seconds detected so far */
  if(fracp < end && (*fracp == '.' || *fracp == ',')) {
    /* Have fractional seconds, e.g. "[.,]\d+". How many? */
-    tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
+    fracp++; /* should be a digit char or BAD ARGUMENT */
+    tzp = fracp;
    while(tzp < end && ISDIGIT(*tzp))
      tzp++;
    if(tzp == fracp) /* never looped, no digit after [.,] */
      return CURLE_BAD_FUNCTION_ARGUMENT;
-    fracl = tzp - fracp - 1; /* number of fractional sec digits */
+    fracl = tzp - fracp; /* number of fractional sec digits */
    DEBUGASSERT(fracl > 0);

The patch reorders pointer assignment so tzp references the first digit position, then computes the fractional digit count without the off-by-one subtraction. See the cURL CVE-2024-7264 Documentation for the complete advisory.

Detection Methods for CVE-2024-7264

Indicators of Compromise

  • Unexpected crashes or segmentation faults in processes that invoke libcurl with CURLINFO_CERTINFO enabled
  • Application logs showing CURLE_BAD_FUNCTION_ARGUMENT (error 43) or abnormal termination during TLS handshakes
  • TLS connections to untrusted endpoints returning malformed X.509 certificate fields

Detection Strategies

  • Inventory libcurl versions across endpoints and servers using software composition analysis (SCA) tools to identify builds prior to the 27959ec fix
  • Inspect application source for calls to curl_easy_getinfo() with CURLINFO_CERTINFO, which expose the heap-read path
  • Run fuzz tests against ASN.1 Generalized Time parsing in TLS-enabled applications to surface latent crashes

Monitoring Recommendations

  • Monitor crash telemetry and core dumps from applications that perform TLS certificate inspection
  • Alert on repeated TLS handshake failures correlated with specific remote endpoints
  • Track NetApp and distribution advisories (NTAP-20240828-0008, NTAP-20241025-0006, NTAP-20241025-0010) for product-specific patch availability

How to Mitigate CVE-2024-7264

Immediate Actions Required

  • Upgrade libcurl to a version containing commit 27959ec or later
  • Identify all statically and dynamically linked consumers of libcurl, including bundled application binaries and container images
  • Apply vendor patches from downstream distributors and NetApp for impacted appliance products

Patch Information

The upstream fix is committed in the cURL repository at GitHub cURL Commit 27959ec. The patch corrects the GTime2str() length arithmetic and adds unit tests via unit1656.c. Refer to the cURL CVE-2024-7264 Documentation for affected version ranges and the HackerOne Report #2629968 for disclosure details.

Workarounds

  • Avoid using CURLINFO_CERTINFO in applications until libcurl is patched, which eliminates the heap content disclosure path
  • Restrict libcurl-based clients to trusted TLS endpoints to reduce exposure to attacker-supplied certificates
  • Where feasible, perform certificate inspection in a sandboxed or isolated process to contain crash impact
bash
# Verify the installed libcurl version and confirm patch level
curl --version
# Example: rebuild against patched source
git clone https://github.com/curl/curl.git
cd curl
git checkout 27959ec
autoreconf -fi && ./configure && make && sudo make install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.