CVE-2021-22945
Description
Double-free vulnerability in libcurl's MQTT handling in versions up to 7.73.0 and also 7.78.0 could lead to remote code execution or denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Double-free vulnerability in libcurl's MQTT handling in versions up to 7.73.0 and also 7.78.0 could lead to remote code execution or denial of service.
Vulnerability
The vulnerability occurs in libcurl's MQTT protocol handling when sending data to an MQTT server. Affected versions are libcurl <= 7.73.0 and also 7.78.0. Under certain conditions, libcurl erroneously keeps a pointer to a memory area that has already been freed, then uses that pointer in a subsequent send call and frees the same memory again, resulting in a double-free and use-after-free condition.
Exploitation
An attacker controlling an MQTT server that receives data from a vulnerable libcurl client could potentially trigger the vulnerability. The attacker needs to be able to influence the timing or content of MQTT messages to cause the erroneous pointer behavior. No authentication is required from the client side; the attacker merely needs to send responses that lead to the double-free.
Impact
Successful exploitation could lead to arbitrary code execution in the context of the application using libcurl, or cause a denial of service due to memory corruption. The impact depends on the attacker's ability to control the freed/reused memory.
Mitigation
The vulnerability is fixed in libcurl versions 7.74.0 through 7.77.2 and 7.78.1 and later. Users should upgrade to a fixed version. Gentoo provides a GLSA [4] recommending upgrade to curl-7.86.0. No workaround is known.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/mitrevendor-advisory
- security.gentoo.org/glsa/202212-01mitrevendor-advisory
- www.debian.org/security/2022/dsa-5197mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Mar/29mitremailing-list
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitre
- hackerone.com/reports/1269242mitre
- security.netapp.com/advisory/ntap-20211029-0003/mitre
- support.apple.com/kb/HT213183mitre
- www.oracle.com/security-alerts/cpuoct2021.htmlmitre
News mentions
0No linked articles in our index yet.