CVE-2021-22924
Description
libcurl's connection reuse logic fails to compare issuer_cert and case-sensitive paths, potentially reusing wrong connections.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libcurl's connection reuse logic fails to compare issuer_cert and case-sensitive paths, potentially reusing wrong connections.
Vulnerability
libcurl maintains a connection pool for reuse. The config matching function used to compare paths case-insensitively and did not consider the 'issuer_cert' setting. This leads to potential reuse of connections that do not match the intended security context, allowing for cross-connection misuse. Affected versions include libcurl prior to the fix in version 7.77.0 [1].
Exploitation
An attacker who can control file paths (e.g., via environment variables or configuration) or set the issuer_cert option may cause libcurl to match an existing connection incorrectly. No authentication is required, but the attacker must influence the connection setup parameters. The flaw can be triggered without user interaction if the application uses connection reuse with these settings.
Impact
Successful exploitation can result in reusing a connection that was established for a different server or with different security requirements. This could lead to information disclosure (e.g., sending data to an unintended server), authentication bypass, or credential leakage. The attacker may gain unintended access to resources or perform actions in the context of the misdirected connection.
Mitigation
The vulnerability is fixed in libcurl version 7.77.0 released on 2021-07-21. Users should upgrade to this version or later. If upgrade is not possible, avoid using the 'issuer_cert' option with case-sensitive paths, or disable connection reuse. There is no known workaround beyond patching. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
29- libcurl/libcurldescription
- osv-coords28 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/curl-mini&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/curl&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/curl&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/curl&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/curl-openssl1&distro=SUSE%20Linux%20Enterprise%20Server%2011-SECURITY
< 7.66.0-lp152.3.21.1+ 27 more
- (no CPE)range: < 7.66.0-lp152.3.21.1
- (no CPE)range: < 7.66.0-4.22.1
- (no CPE)range: < 7.79.1-1.1
- (no CPE)range: < 7.66.0-lp152.3.21.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.66.0-4.22.1
- (no CPE)range: < 7.66.0-4.22.1
- (no CPE)range: < 7.66.0-4.22.1
- (no CPE)range: < 7.60.0-4.25.1
- (no CPE)range: < 7.60.0-11.23.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-4.25.1
- (no CPE)range: < 7.60.0-11.23.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-11.23.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-3.47.1
- (no CPE)range: < 7.60.0-4.25.1
- (no CPE)range: < 7.60.0-4.25.1
- (no CPE)range: < 7.37.0-70.71.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
15- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/mitrevendor-advisoryx_refsource_FEDORA
- www.debian.org/security/2022/dsa-5197mitrevendor-advisoryx_refsource_DEBIAN
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-484086.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-732250.pdfmitrex_refsource_CONFIRM
- hackerone.com/reports/1223565mitrex_refsource_MISC
- lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2021/08/msg00017.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlmitremailing-listx_refsource_MLIST
- security.netapp.com/advisory/ntap-20210902-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujan2022.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuoct2021.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.