CVE-2022-43552: A use after free vulnerability exists in curl <7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET curl would use a heap-allocated struct after it had been freed in its transfer shutdown code path.

Overview

Severity: Medium (CVSS 5.9)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploit Status: Not Exploited
Publicly Disclosed: Yes
Patch Tuesday: 2023-Feb
Released: 2023-02-10
Last Updated: 2026-02-18
EPSS Score: 0.20% (percentile: 42.4%)

FAQ

What is the curl open-source project? Curl is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client for URL". The Windows implementation provides access to the command-line tool, not the library. What version of curl addresses this CVE? Curl version 7.87.0 addresses this vulnerability. Where can I find more information about this curl vulnerability? More information can be found at NVD and curl.se Are there any workarounds that can be implemented? Preventing the execution of curl.exe is a workaround to be considered Use a WDAC policy to deny execution of the \system32\curl.exe executable. You can merge the deny into an existing policy or create a new policy with it using the Merge-CIPolicy cmdlet; Merge-CIPolicy (ConfigCI) | Microsoft Learn. Once the policy XML file with the deny has been created or merged with an existing policy it must be deployed. Choose how to deploy the policy; Deploying Windows Defender Application Control (WDAC) policies | Microsoft Learn Deploy using a Mobile Device Management (MDM) solution, such as Microsoft Intune Deploy using Microsoft Configuration Manager Deploy via script Deploy via group policy For example: Create a new policy: (These steps will create a new policy named Deny-Curl.xml by merging the deny using the example policy named AllowAll.xml) $rule = new-cipolicyrule -DriverFilePath "$env:systemroot\system32\curl.exe" -Level FilePublisher -Deny $rule[0].attributes["MinimumFileVersion"] = "0.0.0.0" $rule[0].attributes["MaximumFileVersion"] = "7.87.0.0" merge-cipolicy "$env:systemroot\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml" -Rules $rule -OutputFilePath "Deny-Curl.xml" Merge into an existing policy $rule = new-cipolicyrule -DriverFilePath "$env:systemroot\system32\curl.exe" -Level FilePublisher -Deny $rule[0].att

Affected Products (15)

Other

17879-17084
17941-16820
17950-16820
18451-16820
17952-16820
17953-16823
17954-16823
18452-16823
17956-16823
17878-17084
17957-17084
19668-17086
18295-17084
19671-17084
19686-17084

Acknowledgments

<a href="http://eskamation.de/">Stefan Kanthak</a>

Revision History

2023-02-10: Information published.
2023-03-14: CVE updated to add Windows software as Microsoft is aware that certain versions of Windows are affected by the cURL vulnerability. Microsoft will incorporate the new cURL Open Source library that addresses this issue in an upcoming security release.
2023-04-11: Microsoft is announcing the availability of the April 2023 security updates to address this vulnerability for all supported versions of Windows 10 version 1809, Windows 10 version 20H2, Windows 10 version 21H2, Windows 10 version 22H2, Windows 11 version 21H2, Windows 11 version 22H2, Windows Server 2019, and Windows Server 2022. Microsoft strongly recommends that customers install the April 2023 updates to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
2023-04-12: Updated FAQ information. This is an informational change only.
2024-06-30: Information published.
2024-11-20: Added cmake to CBL-Mariner 2.0 Added rust to CBL-Mariner 2.0 Added mysql to CBL-Mariner 2.0 Added curl to CBL-Mariner 2.0 Added tensorflow to Azure Linux 3.0 Added cmake to Azure Linux 3.0 Added curl to CBL-Mariner 1.0
2026-02-18: Information published.