CVE-2022-42915
Description
Double free in curl when using HTTP proxy with non-HTTP(S) schemes (dict, gopher, etc.) leading to potential crash or code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Double free in curl when using HTTP proxy with non-HTTP(S) schemes (dict, gopher, etc.) leading to potential crash or code execution.
Vulnerability
Double free vulnerability in curl versions 7.77.0 through 7.85.0. When curl is configured to use an HTTP proxy and the URL uses a non-HTTP(S) scheme (dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, telnet), it issues a CONNECT request. If the proxy returns a non-200 response, the error handling cleanup can double free a heap allocation [3].
Exploitation
An attacker controlling an HTTP proxy (or a man-in-the-middle) can trigger the double free by returning a non-200 status to a CONNECT request for one of the affected schemes. No user interaction beyond using curl with an HTTP proxy is required. The attacker needs network position to intercept or control the proxy response [3].
Impact
A double free can lead to program crash or potential arbitrary code execution. Given the complexity of heap state, reliable exploitation may be difficult, but the vulnerability is considered medium severity (CVSS score not specified in advisory, but severity medium) [3].
Mitigation
Upgrade to curl 7.86.0 or later, released on October 26, 2022. Alternatively, apply the provided patch or avoid using an HTTP proxy with affected URL schemes. The vulnerability was introduced in 7.77.0 and fixed in 7.86.0 [3].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/mitrevendor-advisory
- security.gentoo.org/glsa/202212-01mitrevendor-advisory
- seclists.org/fulldisclosure/2023/Jan/19mitremailing-list
- seclists.org/fulldisclosure/2023/Jan/20mitremailing-list
- curl.se/docs/CVE-2022-42915.htmlmitre
- security.netapp.com/advisory/ntap-20221209-0010/mitre
- support.apple.com/kb/HT213604mitre
- support.apple.com/kb/HT213605mitre
News mentions
0No linked articles in our index yet.