Unrated severityNVD Advisory· Published Mar 27, 2024· Updated Feb 13, 2025

HTTP/2 push headers memory-leak

CVE-2024-2398

Description

libcurl leaks memory when aborting HTTP/2 server push due to excessive headers, enabling potential denial of service via memory exhaustion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

libcurl leaks memory when aborting HTTP/2 server push due to excessive headers, enabling potential denial of service via memory exhaustion.

Vulnerability

In libcurl, when an application enables HTTP/2 server push (via CURLOPT_PUSHFUNCTION), and the server sends a PUSH_PROMISE frame with more than 1000 headers, libcurl aborts the push but fails to free previously allocated header memory, resulting in a memory leak. This affects curl versions 7.44.0 through 8.6.0 built with HTTP/2 support [4].

Exploitation

An attacker controlling an HTTP/2 server can send a crafted push promise with an excessive number of headers to trigger the leak. The client application must have enabled HTTP/2 server push (not the default). No authentication or user interaction is required, and the error is silent, making detection difficult [4].

Impact

Repeated exploitation can exhaust the memory of the process using libcurl, leading to a denial of service. No other impacts (such as code execution or information disclosure) are described [4].

Mitigation

The vulnerability is fixed in curl version 8.7.0, released March 27, 2024. As a workaround, applications can disable HTTP/2 server push by returning CURL_PUSH_DENY from the push callback, or disable HTTP/2 entirely. Users should upgrade libcurl or apply the patch [4].

References

security - [SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Curl/Libcurlllm-fuzzy
osv-coords41 versions
pkg:apk/chainguard/curl pkg:apk/chainguard/curl-dev pkg:apk/chainguard/curl-doc pkg:apk/chainguard/curl-oci-entrypoint pkg:apk/chainguard/curl-static pkg:apk/chainguard/libcurl4 pkg:apk/chainguard/libcurl-openssl4 pkg:apk/wolfi/curl pkg:apk/wolfi/curl-dev pkg:apk/wolfi/curl-doc pkg:apk/wolfi/curl-oci-entrypoint pkg:apk/wolfi/curl-static pkg:apk/wolfi/libcurl4 pkg:apk/wolfi/libcurl-openssl4 pkg:rpm/almalinux/curl pkg:rpm/almalinux/curl-minimal pkg:rpm/almalinux/libcurl pkg:rpm/almalinux/libcurl-devel pkg:rpm/almalinux/libcurl-minimal pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%20Micro%205.3 pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%20Micro%205.4 pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweed pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Installer%20Updates%2015%20SP4 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Installer%20Updates%2015%20SP5 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.1 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.3 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.4 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.5 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/curl&distro=SUSE%20Linux%20Micro%206.0 pkg:rpm/suse/curl&distro=SUSE%20Manager%20Proxy%204.3 pkg:rpm/suse/curl&distro=SUSE%20Manager%20Server%204.3
< 8.7.1-r0+ 40 more
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 8.7.1-r0
- (no CPE)range: < 7.76.1-29.el9_4.1
- (no CPE)range: < 7.76.1-29.el9_4.1
- (no CPE)range: < 7.76.1-29.el9_4.1
- (no CPE)range: < 7.76.1-29.el9_4.1
- (no CPE)range: < 7.76.1-29.el9_4.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.7.1-1.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 7.66.0-150200.4.69.1
- (no CPE)range: < 7.66.0-150200.4.69.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-11.86.2
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-11.86.2
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-11.86.2
- (no CPE)range: < 8.6.0-3.1
- (no CPE)range: < 8.0.1-150400.5.44.1
- (no CPE)range: < 8.0.1-150400.5.44.1
Curl/Curlv5
Range: 8.6.0

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000