VDB
ALPINE-CVE-2024-7264
ALPINE-CVE-2024-7264
PUBLISHED
CVSS 6.5 MEDIUM
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.20 | curl | 7.55.1-r0, 0, 8.9.0-r0 |
| Alpine:v3.18 | curl | 7.81.0-r0, 7.86.0-r1, 0 |
| Alpine:v3.21 | curl | 7.64.0-r1, 8.3.0-r0, 8.3.0-r1 |
| Alpine:v3.23 | curl | 7.53.1-r3, 7.53.1-r0, 7.53.1-r1 |
| Alpine:v3.22 | curl | 0, 7.63.0-r0, 7.64.0-r0 |
| Alpine:v3.19 | curl | 0, 0, 8.9.0-r0 |
| Alpine:v3.24 | curl | 0 |
Timeline
- Jul 31, 2024 CVE Published
- Apr 30, 2026 Distribution Patch
- Jun 15, 2026 CVE Updated