CVE-2024-2398

Q: What is the severity of CVE-2024-2398?

CVE-2024-2398 has a CVSS score of 8.6 (HIGH). CVE-2024-2398 is a memory leak vulnerability in libcurl that occurs when HTTP/2 server push headers exceed the 1000-header limit. This allows attackers to cause denial of service through resource exhaustion in applications using vulnerable libcurl versions. Any application using libcurl with HTTP/2 server push enabled is affected.

8.6 HIGH

Denial of Service

📋 TL;DR

CVE-2024-2398 is a memory leak vulnerability in libcurl that occurs when HTTP/2 server push headers exceed the 1000-header limit. This allows attackers to cause denial of service through resource exhaustion in applications using vulnerable libcurl versions. Any application using libcurl with HTTP/2 server push enabled is affected.

💻 Affected Systems

Products:

libcurl
curl
any software using libcurl library

Versions: libcurl 7.61.0 through 8.6.0

Operating Systems: All operating systems where libcurl is used

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when HTTP/2 server push is explicitly enabled by the application. Most applications do not enable this feature by default.

📦 What is this software?

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H610c Firmware by Netapp

View all CVEs affecting H610c Firmware →

H610s Firmware by Netapp

View all CVEs affecting H610s Firmware →

H615c Firmware by Netapp

View all CVEs affecting H615c Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

Learn more about Macos →

Macos by Apple

Learn more about Macos →

Ontap Select Deploy Administration Utility by Netapp

View all CVEs affecting Ontap Select Deploy Administration Utility →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could lead to complete system memory exhaustion, causing application crashes and denial of service across affected systems.

🟠

Likely Case

Memory consumption gradually increases during HTTP/2 sessions with server push, potentially leading to application instability or crashes over time.

🟢

If Mitigated

With HTTP/2 server push disabled or proper monitoring, impact is minimal as the vulnerability requires specific conditions to trigger.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to send HTTP/2 server push responses with >1000 headers to a vulnerable client. No authentication needed if network access exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libcurl 8.7.0

Vendor Advisory: https://curl.se/docs/CVE-2024-2398.html

Restart Required: Yes

Instructions:

1. Update libcurl to version 8.7.0 or later. 2. Recompile and redeploy any applications using libcurl. 3. Restart affected services.

🔧 Temporary Workarounds

Disable HTTP/2 server push

all

Configure applications to disable HTTP/2 server push functionality

curl_easy_setopt(curl, CURLOPT_HTTP2_PSEUDO_HEADERS_ORDER, CURL_HTTP2_PSEUDO_HEADERS_ORDER_NONE);
Set CURLOPT_PIPEWAIT to 0

🧯 If You Can't Patch

Disable HTTP/2 server push in all applications using libcurl
Implement memory monitoring and alerting for applications using libcurl with HTTP/2

🔍 How to Verify

Check if Vulnerable:

Check libcurl version and verify if HTTP/2 server push is enabled in application configuration

Check Version:

curl --version | head -1

Verify Fix Applied:

Verify libcurl version is 8.7.0 or later and test HTTP/2 server push functionality

📡 Detection & Monitoring

Log Indicators:

Memory usage spikes in applications using libcurl
Application crashes with out-of-memory errors

Network Indicators:

HTTP/2 traffic with server push headers
Unusual number of HTTP/2 PUSH_PROMISE frames

SIEM Query:

source="application_logs" AND ("out of memory" OR "memory leak") AND process="*curl*"

📊 Metadata

CVE ID: CVE-2024-2398

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-772

Published: March 27, 2024

Last Updated: July 30, 2025

🔗 References

http://seclists.org/fulldisclosure/2024/Jul/18 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/20 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/27/3 Mailing List,Third Party Advisory
https://curl.se/docs/CVE-2024-2398.html Vendor Advisory
https://curl.se/docs/CVE-2024-2398.json Vendor Advisory
https://hackerone.com/reports/2402845 Exploit,Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20240503-0009/ Third Party Advisory
https://support.apple.com/kb/HT214118 Release Notes,Vendor Advisory
https://support.apple.com/kb/HT214119 Release Notes,Vendor Advisory
https://support.apple.com/kb/HT214120 Release Notes,Vendor Advisory
http://seclists.org/fulldisclosure/2024/Jul/18 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/20 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/27/3 Mailing List,Third Party Advisory
https://curl.se/docs/CVE-2024-2398.html Vendor Advisory
https://curl.se/docs/CVE-2024-2398.json Vendor Advisory
https://hackerone.com/reports/2402845 Exploit,Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20240503-0009/ Third Party Advisory
https://support.apple.com/kb/HT214118 Release Notes,Vendor Advisory
https://support.apple.com/kb/HT214119 Release Notes,Vendor Advisory
https://support.apple.com/kb/HT214120 Release Notes,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Bootstrap Os by Netapp

Brocade Fabric Operating System by Netapp

Curl by Haxx

Fedora by Fedoraproject

Fedora by Fedoraproject

H300s Firmware by Netapp

H410s Firmware by Netapp

H500s Firmware by Netapp

H610c Firmware by Netapp

H610s Firmware by Netapp

H615c Firmware by Netapp

H700s Firmware by Netapp

Macos by Apple

Macos by Apple

Macos by Apple

Ontap Select Deploy Administration Utility by Netapp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HTTP/2 server push

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities