CVE-2021-22901
Description
Use-after-free in libcurl's OpenSSL TLS session caching can lead to remote code execution when a connection is reused across multiple transfers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in libcurl's OpenSSL TLS session caching can lead to remote code execution when a connection is reused across multiple transfers.
Vulnerability
A use-after-free vulnerability exists in libcurl versions 7.75.0 through 7.76.1 when built with OpenSSL (or its forks BoringSSL and LibreSSL). The flaw occurs in the handling of TLS 1.3 session tickets. When libcurl sets up support for session ID caching on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a new session is established. If the connection is reused by multiple transfers (e.g., via HTTP/1.1 keep-alive or HTTP/2 multiplexing), the first transfer object may be freed before the new session callback fires, causing libcurl to access already freed memory [1][2].
Exploitation
An attacker must operate a malicious TLS server that the client connects to. The client application must use libcurl's multi interface and reuse connections across multiple easy handles. The typical sequence is: create and use a first easy handle to perform HTTP/1.1 over TLS to the malicious server, free that handle with curl_easy_cleanup(), then create and use a second easy handle to the same server such that the TLS connection is reused. The server can then trigger a new session (e.g., by requesting a client certificate) causing libcurl to access the freed transfer object. Under rare circumstances, the attacker may be able to control the freed memory contents to achieve remote code execution [2].
Impact
Successful exploitation can lead to remote code execution in the client process. The attacker may also cause a denial of service or information disclosure if code execution is not achieved. The vulnerability is rated High severity with a CVSS score of 7.5 [2].
Mitigation
The vulnerability is fixed in curl version 7.77.0, released on May 26, 2021 [1][2]. Users should upgrade to curl 7.77.0 or later. No workaround is available for affected versions; applications must update the libcurl library. The fix is contained in commit 7f4a9a9b2a49547eae24d2e19bc5c346e9026479 [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- curl/curldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free in libcurl's OpenSSL backend: a pointer to the transfer object stored in SSL ex_data for the TLS 1.3 session ticket callback is not cleared when the transfer ends, allowing access to freed memory."
Attack vector
A malicious TLS server sends a TLS 1.3 session ticket after the handshake completes. If the client connection is reused across multiple transfers (e.g., HTTP/1.1 keep-alive or HTTP/2 multiplexing), the first transfer object may be freed before the session ticket callback fires. The callback then accesses the freed `Curl_easy` memory, and because libcurl may call a function pointer from that object, an attacker who can control the freed memory contents could achieve remote code execution. [ref_id=1]
Affected code
The vulnerability resides in the OpenSSL backend of libcurl (file `vtls/openssl.c`). The `ossl_connect_step1` function stored a pointer to the `Curl_easy` transfer object via `SSL_set_ex_data` for later use in the TLS 1.3 new-session callback, but did not clear that pointer when the transfer ended. The patch introduces `ossl_associate_connection` and `ossl_disassociate_connection` to properly manage the association and detach the transfer from the connection, preventing use-after-free.
What the fix does
The patch adds two new functions: `ossl_associate_connection` stores the transfer pointer in the SSL ex_data when a connection is established, and `ossl_disassociate_connection` clears that pointer (setting it to NULL) and deletes any cached session ID when the transfer is detached. The `disassociate` function is called when the transfer ends, ensuring the TLS 1.3 new-session callback will not access freed memory. The commit comment explicitly states this prevents the use-after-free problem described in the advisory.
Preconditions
- configThe client must use libcurl with the OpenSSL backend and TLS 1.3 session tickets enabled (the default when sessionid caching is on).
- configThe connection must be reused across multiple transfers (HTTP/1.1 keep-alive or HTTP/2 multiplexing).
- networkA malicious TLS server must send a TLS 1.3 session ticket after the handshake, timed so that the first transfer object is freed before the callback fires.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-732250.pdfmitrex_refsource_CONFIRM
- curl.se/docs/CVE-2021-22901.htmlmitrex_refsource_MISC
- github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479mitrex_refsource_MISC
- hackerone.com/reports/1180380mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20210723-0001/mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20210727-0007/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuapr2022.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpujan2022.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.