CVE-2023-28320

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions curl versions prior to 8.1.0

Description A denial of service issue exists in the way libcurl provides several different backends for resolving host names. If libcurl is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm() and siglongjmp(). This can cause a multi-threaded application to crash or misbehave due to a global buffer that is not mutex protected. The issue can be exploited by a remote attacker to cause a denial of service.

Recommendations For versions prior to 8.1.0, update to version 8.1.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the synchronous resolver backend in multi-threaded applications until a patch is available. Restrict access to the vulnerable alarm() and siglongjmp() functions to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-362CWE-662

Related Identifiers

ALT-PU-2023-1827

ALT-PU-2023-1863

ALT-PU-2023-4357

ALT-PU-2023-5727

AZL-26790

AZL-26793

AZL-26809

AZL-26813

AZL-34605

AZL-38926

BDU:2023-03612

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2023-28320

MGASA-2023-0263

OPENSUSE-SU-2024:12940-1

SUSE-SU-2023:2224-1

SUSE-SU-2023:2224-2

SUSE-SU-2023:2225-1

SUSE-SU-2023:2226-1

SUSE-SU-2023:2227-1

SUSE-SU-2023:2228-1

SUSE-SU-2023:2230-1

SUSE-SU-2023_2227-1

SUSE-SU-2023_2230-1

Affected Products

Alt Linux

Debian

Apple Macos

Red Os

Suse

Curl

CVE-2023-28320

Weakness Enumeration

Related Identifiers

Affected Products

References · 353