CVE-2022-27775
Description
Curl versions 7.65.0 to 7.82.0 reuse connections for IPv6 addresses with different zone IDs, leading to potential information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Curl versions 7.65.0 to 7.82.0 reuse connections for IPv6 addresses with different zone IDs, leading to potential information disclosure.
Vulnerability
An information disclosure vulnerability exists in curl versions 7.65.0 through 7.82.0. The connection reuse logic incorrectly matches IPv6 addresses with different zone IDs, causing curl to reuse a connection intended for a different destination. This can lead to unintended data exposure. [1]
Exploitation
An attacker must be able to influence the zone ID in an IPv6 address used by curl, for example by controlling a URL or redirect. When curl's connection pool contains an entry for an IPv6 address with a different zone ID, the attacker can cause curl to reuse that connection, sending data to an unintended host. [1]
Impact
Successful exploitation results in information disclosure, as data intended for one host may be sent to another host due to connection reuse. The attacker could receive sensitive information meant for a different destination. [1]
Mitigation
The vulnerability is fixed in curl version 7.83.0 and later. Users should upgrade to at least curl 7.83.0. The Gentoo security advisory recommends upgrading to >=net-misc/curl-7.86.0. No workaround is available. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- osv-coords10 versionspkg:rpm/almalinux/curlpkg:rpm/almalinux/curl-minimalpkg:rpm/almalinux/libcurlpkg:rpm/almalinux/libcurl-develpkg:rpm/almalinux/libcurl-minimalpkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3
< 7.76.1-19.el9+ 9 more
- (no CPE)range: < 7.76.1-19.el9
- (no CPE)range: < 7.76.1-19.el9
- (no CPE)range: < 7.76.1-19.el9
- (no CPE)range: < 7.76.1-19.el9
- (no CPE)range: < 7.76.1-19.el9
- (no CPE)range: < 7.66.0-150200.4.30.1
- (no CPE)range: < 7.83.0-1.1
- (no CPE)range: < 7.66.0-150200.4.30.1
- (no CPE)range: < 7.66.0-150200.4.30.1
- (no CPE)range: < 7.66.0-150200.4.30.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- hackerone.com/reports/1546268nvdExploitThird Party Advisory
- security.gentoo.org/glsa/202212-01nvdThird Party Advisory
- security.netapp.com/advisory/ntap-20220609-0008/nvdThird Party Advisory
- www.debian.org/security/2022/dsa-5197nvdThird Party Advisory
News mentions
0No linked articles in our index yet.