A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.

Related CVEs

CVE-2018-16840

Key Information

GHSA ID

GHSA-6vwf-m72q-cw8h

Published

May 13, 2022 1:34 AM

Last Modified

April 17, 2025 3:32 PM

CVSS Score

9.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: September 28, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.