{"id":"CVE-2021-22901","details":"curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.","aliases":["CURL-CVE-2021-22901"],"modified":"2026-02-01T00:15:53.820444Z","published":"2021-06-11T16:15:11.120Z","related":["openSUSE-SU-2024:10582-1"],"references":[{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf"},{"type":"ADVISORY","url":"https://curl.se/docs/CVE-2021-22901.html"},{"type":"ADVISORY","url":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"},{"type":"ADVISORY","url":"https://hackerone.com/reports/1180380"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210723-0001/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210727-0007/"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"REPORT","url":"https://hackerone.com/reports/1180380"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"type":"FIX","url":"https://curl.se/docs/CVE-2021-22901.html"},{"type":"FIX","url":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"EVIDENCE","url":"https://curl.se/docs/CVE-2021-22901.html"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/1180380"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"0"},{"fixed":"7f4a9a9b2a49547eae24d2e19bc5c346e9026479"}]}],"versions":["before_ftp_statemachine","before_urldata_rename","curl-6_5","curl-6_5_1","curl-6_5_2","curl-7_10","curl-7_10_1","curl-7_10_2","curl-7_10_3","curl-7_10_4","curl-7_10_5","curl-7_10_6","curl-7_10_7","curl-7_10_8","curl-7_11_0","curl-7_11_1","curl-7_11_2","curl-7_12_0","curl-7_12_1","curl-7_12_2","curl-7_12_3","curl-7_13_0","curl-7_13_1","curl-7_13_2","curl-7_14_0","curl-7_14_1","curl-7_15_0","curl-7_15_1","curl-7_15_2","curl-7_15_3","curl-7_15_4","curl-7_15_5","curl-7_15_6-prepipeline","curl-7_16_0","curl-7_16_1","curl-7_16_2","curl-7_16_3","curl-7_16_4","curl-7_17_0","curl-7_17_0-preldapfix","curl-7_17_1","curl-7_18_0","curl-7_18_1","curl-7_18_2","curl-7_19_0","curl-7_19_1","curl-7_19_2","curl-7_19_3","curl-7_19_4","curl-7_19_5","curl-7_19_6","curl-7_19_7","curl-7_1_1","curl-7_2","curl-7_20_0","curl-7_20_1","curl-7_21_0","curl-7_21_1","curl-7_21_2","curl-7_21_3","curl-7_21_4","curl-7_21_5","curl-7_21_6","curl-7_21_7","curl-7_22_0","curl-7_23_0","curl-7_23_1","curl-7_24_0","curl-7_25_0","curl-7_26_0","curl-7_27_0","curl-7_28_0","curl-7_28_1","curl-7_29_0","curl-7_3","curl-7_30_0","curl-7_31_0","curl-7_32_0","curl-7_33_0","curl-7_34_0","curl-7_35_0","curl-7_36_0","curl-7_37_0","curl-7_37_1","curl-7_38_0","curl-7_39_0","curl-7_40_0","curl-7_41_0","curl-7_42_0","curl-7_43_0","curl-7_44_0","curl-7_45_0","curl-7_46_0","curl-7_47_0","curl-7_47_1","curl-7_48_0","curl-7_49_0","curl-7_49_1","curl-7_4_1","curl-7_5","curl-7_50_0","curl-7_50_1","curl-7_50_2","curl-7_50_3","curl-7_51_0","curl-7_52_0","curl-7_52_1","curl-7_53_0","curl-7_53_1","curl-7_54_0","curl-7_54_1","curl-7_55_0","curl-7_55_1","curl-7_56_0","curl-7_56_1","curl-7_57_0","curl-7_58_0","curl-7_59_0","curl-7_5_2","curl-7_6","curl-7_6-pre4","curl-7_60_0","curl-7_61_0","curl-7_61_1","curl-7_62_0","curl-7_63_0","curl-7_64_0","curl-7_64_1","curl-7_65_0","curl-7_65_1","curl-7_65_2","curl-7_65_3","curl-7_66_0","curl-7_67_0","curl-7_68_0","curl-7_69_0","curl-7_69_1","curl-7_6_1","curl-7_6_1-pre1","curl-7_6_1-pre2","curl-7_6_1-pre3","curl-7_7","curl-7_7-beta1","curl-7_7-beta2","curl-7_7-beta3","curl-7_7-beta5","curl-7_70_0","curl-7_71_0","curl-7_71_1","curl-7_72_0","curl-7_73_0","curl-7_74_0","curl-7_75_0","curl-7_76_0","curl-7_76_1","curl-7_7_1","curl-7_7_2","curl-7_7_3","curl-7_7_alpha2","curl-7_8","curl-7_8-pre2","curl-7_8_1","curl-7_8_1-pre3","curl-7_9","curl-7_9_1","curl-7_9_2","curl-7_9_3","curl-7_9_3-pre1","curl-7_9_3-pre2","curl-7_9_3-pre3","curl-7_9_4","curl-7_9_5","curl-7_9_5-pre2","curl-7_9_5-pre4","curl-7_9_6","curl-7_9_7","curl-7_9_7-pre2","curl-7_9_8","curl_7_6-pre3"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-112b40cc","digest":{"line_hashes":["186219220524685466747730293319960369262","221885776772179948375588984335771599016","242092821167957799341998848306994961622"],"threshold":0.9},"target":{"file":"lib/vtls/gskit.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-16afe490","digest":{"line_hashes":["105711553773464346414647333756716138062","2904185772424648690614208022438633360","28943486962530006695741710418216306715"],"threshold":0.9},"target":{"file":"lib/vtls/wolfssl.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-1a7f75ad","digest":{"line_hashes":["187473753366580240819143889369803023555","19947501796357691300854331411987220613","95654700292215788056874075044093236670","54945258926373500052511413367380796929","50910872226802818269537850369166031572","58240838674613881414058697592076492097","327008296953905714942243329393832476807","167690107269592290756581100018194607341","163502143684354781220170101016683290242"],"threshold":0.9},"target":{"file":"lib/multi.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-1dc33ea9","digest":{"function_hash":"282527232010509207256326083520762769034","length":159},"target":{"function":"Curl_detach_connnection","file":"lib/multi.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-29a281cb","digest":{"line_hashes":["186219220524685466747730293319960369262","221885776772179948375588984335771599016","118420185482035953781785408918051443343"],"threshold":0.9},"target":{"file":"lib/vtls/mesalink.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-5ed26d1d","digest":{"line_hashes":["73271168870267222109289255326453829008","73827907696276383707622611301589291798","211530242407209078484329373388314723108","188779164379214942689248499697233465740","85386975455582097309536242192917050731","245081344340155641301320834143844850881","62153286337341876067281988598850343391","121669162297169078699046718566740458729","215298610020151475422509359025881665450","160496096879707273982560064615393928037","262253162330575483615990927020006884742","207030032140940270196392569482197400507","52196972406707744499516007337590729723","310848303797566296324889670751101086331","222593396967390567450172725704753887575","235691541654497677847954641653469180817","58633988980821724765059247018395199889","25447831337023957638041419169130371823","147075429205132582405216565002123595763","159239750700783782352173299703698057266","3437427716754797935132463652839023737","127087658280103561645782008847134409151","75199286429243154010508244248962936561","244921248497977065595362047332805878839","335526394393619798921303958949091926921","142148865309299820369778016046747186849","36343027810611685258758416187132301997","145703898883617860025281749174947940817","49821058802725643425531673427781409057","49678742140860501719462917258286975569","63202482301952805327802201198622534649","293181921711569263243064672048373818969","133900923489114446296021898851185466508","36777361632708934694797056998674843243","11177419630060475881010668020085817087","303422892470415582204293820830754579527","286083972253237306490318597426997081139","261079382685828178432555473902036016734","279260391187534534676049212163993726371","329627646565725648632430807782727645922","79194766196837938283253745097174225478","5571743488213546801408132267818404860","130049941606887403578626904489921224945","178097734931733945871273233063040427391","216425396822114078519857436547106591880","285542075915533030311331310894582100597","181108455092571060169513480302647763308","201208934546635710539200215230233609237","13409051224758349761312328379615738889","299473193568500530537773344539589740788","152017765307026313653490870096797999253"],"threshold":0.9},"target":{"file":"lib/vtls/openssl.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-b01c82f2","digest":{"line_hashes":["117254624900286043914446684036232897839","278148543623425240728153472164075251212","313428367765666149420051287200382297935"],"threshold":0.9},"target":{"file":"lib/vtls/gtls.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-b75e8d96","digest":{"line_hashes":["155031123524163536542363547886908076616","241564592740147399037087761500264710056","224236323127553732321566263121395653926"],"threshold":0.9},"target":{"file":"lib/vtls/mbedtls.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-b76d75f7","digest":{"line_hashes":["17479791198913112085959967000244748158","122978703432319367585527440563987283441","108255278866082812394702543602527323182","63147417521427190620024285144529305281","281873735472492112698195639167232268211","274123850254446799268534801426234867900","83722995015177457113170279222513998005"],"threshold":0.9},"target":{"file":"lib/vtls/vtls.h"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-bee48009","digest":{"line_hashes":["93612680191468065498685381231912631392","172816224077672263565079124615633457341","316884559720800204945935234868905210031","293326983079720454113692492174647385498"],"threshold":0.9},"target":{"file":"lib/vtls/sectransp.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-c3256b70","digest":{"line_hashes":["220881515393441035084801830498670033932","174542894043304738129105816634116784620","783098884639603181500321915206659113","186219220524685466747730293319960369262","221885776772179948375588984335771599016","72703555703531540869677605507512220101","227890448358690435620343229236177822739"],"threshold":0.9},"target":{"file":"lib/vtls/vtls.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-c729b6cb","digest":{"line_hashes":["89438604099976147155922991379116780231","152200389674360309942177538872971541530","36458605533992043066698451277391902613"],"threshold":0.9},"target":{"file":"lib/vtls/nss.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-deb6cd76","digest":{"function_hash":"308421803234990224094444390237334411602","length":14664},"target":{"function":"ossl_connect_step1","file":"lib/vtls/openssl.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-e0ea5594","digest":{"line_hashes":["222480428048420087676105947998287034698","1791862209004315891931085883200233347","335032092301468568357198521291765970795","163498262204948760416787486037998488372","86790545262539225571869431646476558833","102446219944222485332424481391822647475","301150589919494327216392615030845277105"],"threshold":0.9},"target":{"file":"lib/vtls/schannel.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-e28697f3","digest":{"line_hashes":["186219220524685466747730293319960369262","221885776772179948375588984335771599016","331942912995982428602909187462272364537"],"threshold":0.9},"target":{"file":"lib/vtls/rustls.c"}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479","id":"CVE-2021-22901-f263bc98","digest":{"function_hash":"276203671696876119948010549383366377839","length":299},"target":{"function":"Curl_attach_connnection","file":"lib/multi.c"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22901.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}