CVE-2021-22901 [High] | Use-After-Free in Curl

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-21	0.34%	0.21%	-0.13%
2	2026-03-04	0.49%	0.34%	-0.15%
3	2026-03-01	—	0.49%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-21

0.34%

0.21%

-0.13%

2026-03-04

0.49%

0.34%

-0.15%

2026-03-01

—

0.49%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.1	3.1	HIGH	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.2	5.9	[email protected]
6.8	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	8.6	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.1

3.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.2

5.9

[email protected]

6.8

2.0

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

8.6

6.4

[email protected]

OS Trackers for CVE-2021-22901

vendor	priority	summary	link
`alpine`	—	CVE-2021-22901: 1 source package rows (curl); 13 state rows across 8 repos (3.12-main, 3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 8, open 5.	https://security.alpinelinux.org/vuln/CVE-2021-22901
`debian`	unimportant	CVE-2021-22901 unimportant priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2021-22901
`gentoo`	high	CVE-2021-22901: 1 GLSA(s) (202105-36), 1 atom(s) (net-misc/curl); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-22901
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2021-22901
`ubuntu`	medium	CVE-2021-22901 medium priority: Ubuntu including 1 source packages (curl), 9 status rows across 9 suites (bionic, focal, groovy, hirsute, impish, jammy, trusty, upstream, xenial): not-affected 8, released 1.	https://ubuntu.com/security/CVE-2021-22901

Affected software / configurations for CVE-2021-22901

Vendor	Product	Version	Raw CPE
haxx	curl	>= 7.75.0, <= 7.76.1	cpe:2.3:a:haxx:curl::::::::
oracle	communications_cloud_native_core_binding_support_function	1.11.0	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:::::::*
oracle	communications_cloud_native_core_network_function_cloud_native_environment	1.10.0	cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:::::::*
oracle	communications_cloud_native_core_network_repository_function	1.15.0	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:::::::*
oracle	communications_cloud_native_core_network_repository_function	1.15.1	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:::::::*
oracle	communications_cloud_native_core_network_slice_selection_function	1.8.0	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:::::::*
oracle	communications_cloud_native_core_service_communication_proxy	1.15.0	cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:::::::*
oracle	essbase	< 11.1.2.4.047	cpe:2.3:a:oracle:essbase::::::::
oracle	essbase	>= 21.0, < 21.3	cpe:2.3:a:oracle:essbase::::::::
oracle	mysql_server	<= 5.7.34	cpe:2.3:a:oracle:mysql_server::::::::
oracle	mysql_server	>= 8.0.0, <= 8.0.25	cpe:2.3:a:oracle:mysql_server::::::::
netapp	active_iq_unified_manager	—	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vsphere::
netapp	active_iq_unified_manager	—	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
netapp	cloud_backup	—	cpe:2.3:a:netapp:cloud_backup:-:::::::*
netapp	oncommand_insight	—	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
netapp	oncommand_workflow_automation	—	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
netapp	snapcenter	—	cpe:2.3:a:netapp:snapcenter:-:::::::*
netapp	solidfire\,_enterprise_sds_\&_hci_storage_node	—	cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:::::::*
netapp	solidfire_\&_hci_management_node	—	cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:::::::*
netapp	solidfire_baseboard_management_controller_firmware	—	cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:::::::*
netapp	hci_compute_node_firmware	—	cpe:2.3:o:netapp:hci_compute_node_firmware:-:::::::*
netapp	h300e_firmware	—	cpe:2.3:o:netapp:h300e_firmware:-:::::::*
netapp	h300s_firmware	—	cpe:2.3:o:netapp:h300s_firmware:-:::::::*
netapp	h410s_firmware	—	cpe:2.3:o:netapp:h410s_firmware:-:::::::*
netapp	h500e_firmware	—	cpe:2.3:o:netapp:h500e_firmware:-:::::::*
netapp	h500s_firmware	—	cpe:2.3:o:netapp:h500s_firmware:-:::::::*
netapp	h700e_firmware	—	cpe:2.3:o:netapp:h700e_firmware:-:::::::*
netapp	h700s_firmware	—	cpe:2.3:o:netapp:h700s_firmware:-:::::::*
siemens	sinec_infrastructure_network_services	< 1.0.1.1	cpe:2.3:a:siemens:sinec_infrastructure_network_services::::::::
splunk	universal_forwarder	>= 8.2.0, < 8.2.12	cpe:2.3:a:splunk:universal_forwarder::::::::
splunk	universal_forwarder	>= 9.0.0, < 9.0.6	cpe:2.3:a:splunk:universal_forwarder::::::::
splunk	universal_forwarder	9.1.0	cpe:2.3:a:splunk:universal_forwarder:9.1.0:::::::*

References for CVE-2021-22901

URL	Tags
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf	Third Party Advisory
https://curl.se/docs/CVE-2021-22901.html	Exploit Patch Vendor Advisory
https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479	Patch Third Party Advisory
https://hackerone.com/reports/1180380	Exploit Issue Tracking Third Party Advisory
https://security.netapp.com/advisory/ntap-20210723-0001/	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210727-0007/	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory

URL

CVE-2021-22901

Public exploit references (Exploit-DB) for CVE-2021-22901

Exploit prediction scoring system (EPSS) score for CVE-2021-22901

Common vulnerability scoring system (CVSS) metrics for CVE-2021-22901

Weakness enumeration for CVE-2021-22901

OS Trackers for CVE-2021-22901

Affected software / configurations for CVE-2021-22901

References for CVE-2021-22901