Bug 1963146 (CVE-2021-22901) - CVE-2021-22901 curl: Use-after-free in TLS session handling when using OpenSSL TLS backend
Summary: CVE-2021-22901 curl: Use-after-free in TLS session handling when using OpenSS...
Alias: CVE-2021-22901
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1963867 1963900 1964815
Blocks: 1962160
TreeView+ depends on / blocked
Reported: 2021-05-21 14:50 UTC by Dhananjay Arunesh
Modified: 2022-04-17 21:24 UTC (History)
36 users (show)

Fixed In Version: curl 7.77.0
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the way curl handled TLS session data. The curl versions using the OpenSSL library as their TLS backend could use freed memory after TLS session renegotiation was performed by the OpenSSL library. A malicious TLS server could use this flaw to crash or, possibly, execute arbitrary code with the privileges of a client application using the curl library.
Clone Of:
Last Closed: 2021-06-17 15:05:03 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2471 0 None None None 2021-06-17 11:36:17 UTC
Red Hat Product Errata RHSA-2021:2472 0 None None None 2021-06-17 11:46:16 UTC

Description Dhananjay Arunesh 2021-05-21 14:50:48 UTC
A vulnerability was found in curl, where libcurl can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client.

Comment 4 Tomas Hoger 2021-05-24 11:05:03 UTC
Upstream advisory notes that this issue affects curl version using OpenSSL (or its forks BoringSSL or libressl) as TLS backend.  It also requires the use of curl's "multi" interface.

Upstream also notes that this issue was only introduce recently, in version 7.75.0 via this commit:


This issue only affects versions 7.75.0 to 7.76.1, which are not included in any current version of Red Hat Enterprise Linux or Red Hat Software Collections.

Comment 5 Tomas Hoger 2021-05-24 11:07:39 UTC
Fedora 34 is currently the only Fedora version shipped affected upstream curl version.  Fedora 33 and earlier use versions prior to the first affected 7.75.0.

Comment 8 Sage McTaggart 2021-05-24 16:10:18 UTC
RHCS 2 ships curl-7.29.0-32, which is not affected.

Comment 9 Mauro Matteo Cascella 2021-05-26 07:39:16 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1964815]

Comment 12 Tomas Hoger 2021-05-26 08:40:49 UTC
Public now via upstream advisory:


Upstream commit:


Comment 14 Tomas Hoger 2021-06-10 20:58:31 UTC
HackerOne report:


Comment 16 errata-xmlrpc 2021-06-17 11:36:10 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471

Comment 17 errata-xmlrpc 2021-06-17 11:46:09 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472

Comment 18 Product Security DevOps Team 2021-06-17 15:05:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.