CVE-2018-16840

Vulnerability

A heap use-after-free flaw exists in libcurl versions 7.59.0 through 7.61.1, inclusive [1][2]. The bug resides in the Curl_close() function when closing and cleaning up an 'easy' handle. The library code first frees a struct without nullifying the pointer and may subsequently write to a field within that already freed struct, leading to undefined behavior [2][3].

Exploitation

An attacker can trigger the vulnerability remotely by causing the application to close a crafted easy handle, for example through a specially crafted sequence of curl_easy_* calls [1][2]. No special authentication or user interaction beyond normal curl usage is required. The vulnerable code path is reachable when curl_easy_perform() is used, which internally creates and cleans up a multi handle [3].

Impact

Successful exploitation can result in a denial of service (application crash) or, potentially, arbitrary code execution [1][2]. The impact depends on heap layout and the ability to control the freed memory. The CVSS score is low, reflecting the difficulty of reliable exploitation [2].

Mitigation

Upgrade to curl version 7.62.0 or later, which was released on October 31, 2018, and includes the fix [2]. The patch can also be applied manually (commit 81d135d67155c5295b1033679c606165d4e28f3f) [2][3]. Users of affected distributions like Ubuntu should update to curl packages [1][4]. No workaround is available if upgrading is not possible.