{"id":"CURL-CVE-2023-28319","summary":"UAF in SSH sha256 fingerprint check","details":"libcurl offers a feature to verify an SSH server's public key using a SHA 256\nhash. When this check fails, libcurl would free the memory for the fingerprint\nbefore it returns an error message containing the (now freed) hash.\n\nThis flaw risks inserting sensitive heap-based data into the error message\nthat might be shown to users or otherwise get leaked and revealed.","aliases":["CVE-2023-28319"],"modified":"2026-04-25T20:30:07.041788Z","published":"2023-05-17T08:00:00Z","database_specific":{"award":{"currency":"USD","amount":"2400"},"severity":"Medium","URL":"https://curl.se/docs/CVE-2023-28319.json","last_affected":"8.0.1","package":"curl","affects":"both","CWE":{"desc":"Use After Free","id":"CWE-416"},"www":"https://curl.se/docs/CVE-2023-28319.html","issue":"https://hackerone.com/reports/1913733"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.81.0"},{"fixed":"8.1.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"3467e89bb97e6c87c77e82a046c59cb4b2d29a74"},{"fixed":"8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122"}]}],"versions":["8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0"],"database_specific":{"vanir_signatures":[{"target":{"file":"lib/vssh/libssh2.c","function":"ssh_check_fingerprint"},"deprecated":false,"id":"CURL-CVE-2023-28319-7fadbfce","source":"https://github.com/curl/curl.git/commit/8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122","signature_type":"Function","digest":{"function_hash":"164663694070092557558600732840543728138","length":3668},"signature_version":"v1"},{"target":{"file":"lib/vssh/libssh2.c"},"deprecated":false,"id":"CURL-CVE-2023-28319-91543937","source":"https://github.com/curl/curl.git/commit/8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["53569815033807692591988852672197824348","300026661933698122365812888195609192414","154976131995872583060259700678453632716","337877370814969873219123483981391270966","291185224061452949542855463539608396025","135566640030226554992210614888316861163","76693148052900451742912538564807476793"]},"signature_version":"v1"}],"source":"https://curl.se/docs/CURL-CVE-2023-28319.json","vanir_signatures_modified":"2026-04-25T20:30:07Z"}}],"schema_version":"1.7.5","credits":[{"name":"Wei Chong Tan","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}