VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 31, 2024· Updated Nov 3, 2025

ASN.1 date parser overread

CVE-2024-7264

Description

CVE-2024-7264: libcurl's ASN1 date parser over-read can crash or leak heap memory when parsing malformed Generalized Time fields.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-7264: libcurl's ASN1 date parser over-read can crash or leak heap memory when parsing malformed Generalized Time fields.

Vulnerability

libcurl's GTime2str() function, part of the ASN.1 parser, incorrectly handles syntactically invalid Generalized Time fields. When the length of the time fraction is set to -1, strlen() is called on a heap buffer that is not null-terminated, causing an out-of-bounds read. This affects curl versions 7.32.0 through 8.9.0 built with GnuTLS (since 7.42.0), Schannel (since 7.50.0), Secure Transport (since 7.79.0), or mbedTLS (since 8.9.0). The bug was introduced in commit 3a24cb7bc45 [2].

Exploitation

An attacker must present a malformed certificate containing an invalid ASN.1 Generalized Time field to a TLS connection that libcurl processes. The ASN.1 parsing occurs after a successful TLS handshake. However, if the TLS library itself rejects the malformed date, the vulnerable code path is not reached. The attacker does not need authentication or special network position beyond being able to complete a TLS handshake with the target [2].

Impact

A successful exploitation most likely results in a crash (denial of service). When the application uses CURLINFO_CERTINFO, heap memory contents may be returned to the application, leading to potential information disclosure. The over-read is limited to heap data adjacent to the buffer [1][2].

Mitigation

The vulnerability is fixed in curl versions 8.9.1 and later. Users should upgrade to the fixed version. For those unable to upgrade, using a TLS backend other than GnuTLS, Schannel, Secure Transport, or mbedTLS prevents the vulnerable code from being reached. No workaround exists for affected configurations. The flaw is not listed on the CISA KEV as of the publication date [1][2].

References
  1. security - [SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread
  2. curl - ASN.1 date parser overread

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

50

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.