VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 7, 2022· Updated May 5, 2025

CVE-2022-32206

CVE-2022-32206

Description

An unbounded chained HTTP compression chain in curl < 7.84.0 allows a malicious server to cause a malloc bomb, leading to high memory consumption or out-of-memory errors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unbounded chained HTTP compression chain in curl < 7.84.0 allows a malicious server to cause a malloc bomb, leading to high memory consumption or out-of-memory errors.

Vulnerability

In curl versions prior to 7.84.0, HTTP responses can be compressed using multiple chained algorithms (e.g., gzip, deflate, brotli). The number of acceptable compression steps was capped per header, but the cap was insufficient—a malicious server could insert a virtually unlimited number of compression steps by using many different headers. This results in a "malloc bomb" where the decompression process allocates huge amounts of heap memory, leading to denial of service via excessive memory consumption or out-of-memory errors [1][2].

Exploitation

An attacker controlling a server (or capable of man-in-the-middle attacks) can craft an HTTP response with multiple Content-Encoding headers, each specifying a compression algorithm. The client will attempt to decompress each layer, triggering repeated memory allocations. No authentication or user interaction beyond requesting a resource from the malicious server is required. The attack is straightforward: the server sends the crafted response, and curl processes it automatically, consuming memory until the system runs out [1][2].

Impact

Successful exploitation leads to a denial of service (DoS) by exhausting available heap memory on the client system. The curl process may crash or become unresponsive. This is a high-severity issue as it can be triggered remotely without user awareness, affecting applications using libcurl with default decompression handling [1][2].

Mitigation

The vulnerability is fixed in curl version 7.84.0 by limiting the total number of compression steps across all headers. Users should upgrade to curl >= 7.84.0. Apple addressed this issue in macOS Ventura 13 (released October 24, 2022) as part of security updates [1]. Gentoo recommends upgrading to >=net-misc/curl-7.86.0 [4]. There is no known workaround; updating is the only mitigation [4].

References
  1. About the security content of macOS Ventura 13 - Apple Support
  2. security - curl: CVE-2023-23916: HTTP multi-header compression denial of service
  3. Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

11

News mentions

0

No linked articles in our index yet.