PT-2022-2690 · Libcurl+6 · Libcurl+6

Florian Kohnhäuser

+1

·

Published

2022-04-30

·

Updated

2026-05-18

·

CVE-2022-27781

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions libcurl (affected versions not specified)
Description The issue is related to the CURLOPT CERTINFO option in libcurl, which allows applications to request details about a server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information. This could allow a remote attacker to cause a denial of service by consuming all available system resources.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the CURLOPT CERTINFO option to minimize the risk of exploitation. Restrict access to libcurl built with NSS to minimize the risk of exploitation. Avoid using the CURLOPT CERTINFO option in libcurl until the issue is resolved.

Exploit

DoS

Infinite Loop

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-835CWE-400

Related Identifiers

ALT-PU-2022-1837
ALT-PU-2022-1877
ALT-PU-2022-1902
AZL-9890
BDU:2022-03180
CLEANSTART-2026-AY18527
CLEANSTART-2026-BW46578
CLEANSTART-2026-DI23929
CLEANSTART-2026-LQ42192
CLEANSTART-2026-OF85770
CVE-2022-27781
DLA-3085-1
DSA-5197-1
MGASA-2022-0185
OESA-2022-1675
OPENSUSE-SU-2022_1870-1
OPENSUSE-SU-2024:12062-1
RHSA-2022:8840
SUSE-SU-2022:1733-1
SUSE-SU-2022:1805-1
SUSE-SU-2022:1870-1
SUSE-SU-2022:2813-1
SUSE-SU-2022:2829-1
SUSE-SU-2022_1733-1
SUSE-SU-2022_1805-1
SUSE-SU-2022_1870-1
SUSE-SU-2022_2813-1
SUSE-SU-2022_2829-1
USN-5412-1
USN-5499-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Red Os
Suse
Ubuntu
Libcurl