CVE-2024-6874

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions cURL (affected versions not specified)

Description The issue is related to the curl url get() function in the cURL utility, which is used for Punycode conversions of IDN domains. When a name exactly 256 bytes is converted, it can cause the function to read outside a stack-based buffer, leading to potential information disclosure. This flaw can result in stack contents being returned as part of the converted string. The vulnerability may allow a remote attacker to cause a denial of service.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Buffer Over-read

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-126CWE-125

Related Identifiers

ALT-PU-2024-10355

ALT-PU-2024-14880

ALT-PU-2024-16747

ALT-PU-2025-1416

AZL-47020

AZL-47046

AZL-49664

BDU:2024-06024

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2024-6874

JLSEC-2025-37

OPENSUSE-SU-2024:14225-1

SUSE-SU-2025:03198-1

SUSE-SU-2025_03198-1

Affected Products

Alt Linux

Astra Linux

Suse

Curl

CVE-2024-6874

Weakness Enumeration

Related Identifiers

Affected Products

References · 303