Login Sign Up

CVE-2022-32221

9.8 CRITICAL

📋 TL;DR

This vulnerability in libcurl allows an attacker to cause memory corruption or data leakage when reusing a handle from a PUT to a POST request. Applications using libcurl for HTTP(S) transfers with reused handles are affected. The flaw can lead to use-after-free or incorrect data transmission.

💻 Affected Systems

Products:
  • libcurl
  • curl command-line tool
  • Applications using libcurl library
Versions: libcurl 7.16.0 through 7.86.0
Operating Systems: All operating systems using affected libcurl versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that reuse curl handles between PUT and POST requests with CURLOPT_READFUNCTION callback.

📦 What is this software?

Clustered Data Ontap by Netapp

View all CVEs affecting Clustered Data Ontap →

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Universal Forwarder by Splunk

View all CVEs affecting Universal Forwarder →

Universal Forwarder by Splunk

View all CVEs affecting Universal Forwarder →

Universal Forwarder by Splunk

View all CVEs affecting Universal Forwarder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or sensitive data exposure through memory corruption in applications using vulnerable libcurl versions.

🟠

Likely Case

Application crashes, data corruption, or unintended data transmission in HTTP(S) client operations.

🟢

If Mitigated

Limited impact with proper input validation and handle management, but still potential for denial of service.

🌐 Internet-Facing: HIGH - libcurl is widely used in internet-facing applications and services for HTTP communication.
🏢 Internal Only: MEDIUM - Internal applications using libcurl for API calls or data transfers could be affected.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific conditions of handle reuse between PUT and POST requests, but public proof-of-concept exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libcurl 7.87.0 and later

Vendor Advisory: https://curl.se/docs/CVE-2022-32221.html

Restart Required: Yes

Instructions:

1. Update libcurl to version 7.87.0 or later. 2. For curl command-line tool, update to version 7.87.0+. 3. Restart applications using libcurl. 4. Recompile applications if statically linked.

🔧 Temporary Workarounds

Avoid handle reuse between PUT and POST

all

Create separate curl handles for PUT and POST operations instead of reusing the same handle.

Disable CURLOPT_READFUNCTION for POST

all

Ensure CURLOPT_READFUNCTION is not set when using CURLOPT_POSTFIELDS for POST requests.

🧯 If You Can't Patch

  • Implement strict handle lifecycle management - create new handles for each request type
  • Add input validation and bounds checking in callback functions to prevent memory corruption

🔍 How to Verify

Check if Vulnerable:

Check libcurl version with 'curl --version' or 'ldconfig -p | grep libcurl'. If version is between 7.16.0 and 7.86.0, system is vulnerable.

Check Version:

curl --version | head -1

Verify Fix Applied:

Verify libcurl version is 7.87.0 or later. Test application with PUT-POST handle reuse scenarios.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access errors
  • Unexpected data in HTTP POST requests
  • Segmentation faults in curl-related processes

Network Indicators:

  • POST requests containing data from previous PUT operations
  • Malformed HTTP requests from applications using libcurl

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "use-after-free" OR "memory corruption") AND process="*curl*"

📊 Metadata

CVE ID: CVE-2022-32221
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-200
EPSS Score: 1.82% exploit probability (82.5th percentile)
Published: December 5, 2022
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32221, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)