CVE-2024-6874

July 24, 2024, 12:55 p.m.

None
No Score

Description

libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.

Product(s) Impacted

Product Versions
libcurl
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

http://www.openwall.com/lists/oss-security/2024/07/24/2
https://curl.se/docs/CVE-2024-6874.html
https://curl.se/docs/CVE-2024-6874.json
https://hackerone.com/reports/2604391

Tags

2024-07-24
2499f714-1537-4658-8207-48ae4bb9eae9
CVE-2024-6874

Timeline

Published: July 24, 2024, 8:15 a.m.
Last Modified: July 24, 2024, 12:55 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

2499f714-1537-4658-8207-48ae4bb9eae9

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.