CVE-2023-28319
Description
Use-after-free in curl <8.1.0 leaks heap data via freed SSH fingerprint in error message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in curl <8.1.0 leaks heap data via freed SSH fingerprint in error message.
Vulnerability
A use-after-free vulnerability exists in libcurl before version 8.1.0 in the SSH public key verification feature using a SHA256 hash. When the fingerprint check fails, libcurl frees the memory for the fingerprint before constructing an error message that includes the (now freed) hash [4]. This can lead to heap data being leaked in the error output.
Exploitation
An attacker can trigger this vulnerability by causing a failed SSH public key verification, for example by providing an incorrect host key fingerprint. The attacker does not need prior authentication; exploitation can occur remotely if curl connects to a malicious SSH server that presents a mismatched key. The race window is not required, as the use-after-free occurs immediately upon verification failure.
Impact
On successful exploitation, sensitive heap data (the freed fingerprint memory) may be included in the error message returned to the user or logged, potentially disclosing heap contents. This could lead to information disclosure of other data residing on the heap, depending on the context.
Mitigation
The vulnerability is fixed in curl version 8.1.0 and later. Gentoo Linux recommends upgrading to >=net-misc/curl-8.3.0-r2 [4]. No workaround is currently available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- osv-coords10 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 8.0.1-150400.5.23.1+ 9 more
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.1.0-1.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-11.65.2
- (no CPE)range: < 8.0.1-11.65.2
- (no CPE)range: < 8.0.1-11.65.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- security.gentoo.org/glsa/202310-12mitrevendor-advisory
- seclists.org/fulldisclosure/2023/Jul/47mitremailing-list
- seclists.org/fulldisclosure/2023/Jul/48mitremailing-list
- seclists.org/fulldisclosure/2023/Jul/52mitremailing-list
- hackerone.com/reports/1913733mitre
- security.netapp.com/advisory/ntap-20230609-0009/mitre
- support.apple.com/kb/HT213843mitre
- support.apple.com/kb/HT213844mitre
- support.apple.com/kb/HT213845mitre
News mentions
0No linked articles in our index yet.