libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO (https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.6 for RHEL 8 Red Hat OpenShift Service Mesh 2.6 for RHEL 9 Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:1671 https://access.redhat.com/errata/RHSA-2025:1671
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:1673 https://access.redhat.com/errata/RHSA-2025:1673
For RedHat Enterprise Linux 8, RHSA-2025:1673 shows only mysql-related packages as updated, but CVE-2024-7264 is a vulnerability in libcurl, so I would expect libcurl and curl to be among the updated packages in this RHSA. I checked the latest sources in RHEL8 and I do not see libcurl being updated with the upstream patch. Will there be an update for libcurl published for CVE-2024-7264 that includes this fix?