## Title Heap Use-After-Free Vulnerability in `curl` Leading to Potential Code Execution

## Summary A **Use-After-Free (UAF)** vulnerability was discovered in `curl` at **`curl_trc.c:195`**. When processing specially crafted input, the code accesses memory after it has already been freed. This can result in undefined behavior, leading to a **denial of service (crash)** and potentially enabling **information disclosure** or **remote code execution**, depending on the attacker’s ability to control heap layout. code ```C if(data->set.errorbuffer && !data->state.errorbuf) { strcpy(data->set.errorbuffer, error); data->state.errorbuf = TRUE; /* wrote error string */ } ``` ## Affected version curl 8.16.0-DEV (Linux) libcurl/8.16.0-DEV ## Steps To Reproduce: I used LLVM libFuzzer to find this. 1.Compile libcurl with sanitizers enabled: ```shell mkdir build && cd build CC=clang CXX=clang++ cmake .. -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_FLAGS="-g -O1 -fsanitize=address" -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=ON -DBUILD_TESTING=OFF -DBUILD_EXAMPLES=OFF -DENABLE_MANUAL=OFF cmake --build . --config Debug ``` 2. Build the fuzz target vulnerablityfuzz.cpp with coverage instrumentation enabled. ```shell clang++ -g -O1 -fsanitize=address,fuzzer -I../include -I../src/include vulnerablityfuzz.cpp ./lib/libcurl-d.a -o vulfuzz -lpsl -ldl -lpthread -lssl -lcrypto -lz ``` 3. Run the fuzzer: ```shell ./vulfuzz ``` ## Supporting Material/References: {F4686953} {F4687026} ## Impact ## Summary: The discovered vulnerability is a **heap-use-after-free** in `curl` that occurs when previously freed heap memory is accessed and written via `strcpy()`. An attacker who can influence the input processed by the vulnerable functions (e.g., SSL configuration, proxy configuration, or callback functions) may achieve the following impacts: - **Denial of Service (DoS):** By triggering the use-after-free condition, an attacker can reliably crash the process, making the application or service unavailable. - **Information Disclosure:** Since freed memory may still contain sensitive data, an attacker may be able to read unintended memory contents, potentially leaking secrets such as credentials or session tokens. - **Arbitrary Code Execution (High Risk):** With careful heap grooming, an attacker could exploit the dangling pointer to overwrite adjacent memory structures, potentially gaining control of program flow and executing arbitrary code in the context of the application. Given that `curl` is widely used in network-related applications, exploitation of this bug can have a significant impact on the security of systems that rely on it.