VYPR
← All advisories
Unrated severityNVD Advisory· Published May 26, 2023· Updated Feb 13, 2026

CVE-2023-28322

CVE-2023-28322

Description

curl before 8.1.0 may leak data or cause memory corruption when reusing a handle from a PUT to a POST transfer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

curl before 8.1.0 may leak data or cause memory corruption when reusing a handle from a PUT to a POST transfer.

Vulnerability

In libcurl versions prior to 8.1.0, a flaw exists in the handle reuse logic. When a handle previously used for a PUT request with CURLOPT_READFUNCTION is reused for a POST request with CURLOPT_POSTFIELDS, libcurl may erroneously invoke the read callback to obtain data, even though CURLOPT_POSTFIELDS is set. This can cause the application to send unintended data or trigger a use-after-free condition. The issue affects all curl versions before 8.1.0.

Exploitation

An attacker would need to influence the sequence of HTTP requests made by an application using libcurl, specifically causing a handle to be used first for a PUT (with a read callback) and then for a POST (with CURLOPT_POSTFIELDS). No special network position is required if the attacker can control the application's request logic. The attacker may be able to cause the application to send data from arbitrary memory locations, potentially leaking sensitive information.

Impact

Successful exploitation can lead to information disclosure (sending wrong data) or memory corruption (use-after-free). The attacker may gain access to sensitive data or cause a denial of service via application crash. The privilege level achieved depends on the context of the affected application.

Mitigation

The vulnerability is fixed in curl version 8.1.0. Apple included the fix in macOS Ventura 13.5 [1], macOS Monterey 12.6.8 [2], and macOS Big Sur 11.7.9 [3], as noted in the Full Disclosure mailing list [4]. No workaround is documented. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. About the security content of macOS Ventura 13.5 - Apple Support
  2. About the security content of macOS Monterey 12.6.8 - Apple Support
  3. About the security content of macOS Big Sur 11.7.9 - Apple Support
  4. Full Disclosure: APPLE-SA-2023-07-24-4 macOS Ventura 13.5

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

12

News mentions

0

No linked articles in our index yet.