CVE-2024-6874
Essential information
- Published
- 24/07/2024 08:15
- Modified
- 24/07/2024 12:55
- Author
- —
- Creator
- —
- CISA KEV
- No
- CWE
- —
- CVSS vector
- — — —
Description
libcurl's URL API function
[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256
bytes, libcurl ends up reading outside of a stack based buffer when built to
use the *macidn* IDN backend. The conversion function then fills up the
provided buffer exactly - but does not null terminate the string.
This flaw can lead to stack contents accidently getting returned as part of
the converted string.
NVD status
- Status
- Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- 2499f714-1537-4658-8207-48ae4bb9eae9
- NVD
- View on NVD