CVE-2023-38545 [Critical] | Out-of-bounds Write in Libcurl

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-09	26.75%	26.25%	-0.50%
2	2026-05-27	26.25%	26.75%	+0.50%
3	2026-05-05	—	26.25%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-09

26.75%

26.25%

-0.50%

2026-05-27

26.25%

26.75%

+0.50%

2026-05-05

—

26.25%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	[email protected]
8.8	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

[email protected]

8.8

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

5.9

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2023-38545

vendor	priority	summary	link
`alpine`	—	CVE-2023-38545: 1 source package rows (curl); 7 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 0.	https://security.alpinelinux.org/vuln/CVE-2023-38545
`debian`	not yet assigned	CVE-2023-38545 not yet assigned priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2023-38545
`gentoo`	high	CVE-2023-38545: 1 GLSA(s) (202310-12), 1 atom(s) (net-misc/curl); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2023-38545
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2023-38545
`suse`	high	CVE-2023-38545 severity important: SUSE including 335 source package names (1.2.3-2.2.19:libcurl4-8.0.1-150400.5.32.1, 1.2.3-3.2.19:libcurl4-8.0.1-150400.5.32.1, …), 780 product×package rows across 229 product lines (Container bci/bci-init, Container bci/golang, … (229 product lines)): Fixed 501, Known Affected 186, Known Not Affected 93.	https://www.suse.com/security/cve/CVE-2023-38545/
`ubuntu`	high	CVE-2023-38545 high priority: Ubuntu including 1 source packages (curl), 9 status rows across 9 suites (bionic, focal, jammy, lunar, mantic, noble, trusty, upstream, xenial): not-affected 4, released 4, needs-triage 1.	https://ubuntu.com/security/CVE-2023-38545

Affected software / configurations for CVE-2023-38545

Vendor	Product	Version	Raw CPE
haxx	libcurl	>= 7.69.0, < 8.4.0	cpe:2.3:a:haxx:libcurl::::::::
fedoraproject	fedora	37	cpe:2.3:o:fedoraproject:fedora:37:::::::*
netapp	active_iq_unified_manager	—	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
netapp	active_iq_unified_manager	—	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
netapp	oncommand_insight	—	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
netapp	oncommand_workflow_automation	—	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
microsoft	windows_10_1809	< 10.0.17763.5122	cpe:2.3:o:microsoft:windows_10_1809::::::::
microsoft	windows_10_21h2	< 10.0.19044.3693	cpe:2.3:o:microsoft:windows_10_21h2::::::::
microsoft	windows_10_22h2	< 10.0.19045.3693	cpe:2.3:o:microsoft:windows_10_22h2::::::::
microsoft	windows_11_21h2	< 10.0.22000.2600	cpe:2.3:o:microsoft:windows_11_21h2::::::::
microsoft	windows_11_22h2	< 10.0.22621.2715	cpe:2.3:o:microsoft:windows_11_22h2::::::::
microsoft	windows_11_23h2	< 10.0.22631.2715	cpe:2.3:o:microsoft:windows_11_23h2::::::::
microsoft	windows_server_2019	< 10.0.17763.5122	cpe:2.3:o:microsoft:windows_server_2019::::::::
microsoft	windows_server_2022	< 10.0.20348.2113	cpe:2.3:o:microsoft:windows_server_2022::::::::

References for CVE-2023-38545

URL	Tags
http://seclists.org/fulldisclosure/2024/Jan/34	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/37	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/38	Mailing List Third Party Advisory
https://curl.se/docs/CVE-2023-38545.html	Patch Third Party Advisory
https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868
https://lists.fedoraproject.org/archives/list/[email protected]/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20231027-0009/	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240201-0005/	Third Party Advisory
https://support.apple.com/kb/HT214036	Third Party Advisory
https://support.apple.com/kb/HT214057	Third Party Advisory
https://support.apple.com/kb/HT214058	Third Party Advisory
https://support.apple.com/kb/HT214063	Third Party Advisory
https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability/	Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
https://cert-portal.siemens.com/productcert/html/ssa-093430.html
https://cert-portal.siemens.com/productcert/html/ssa-507364.html
https://cert-portal.siemens.com/productcert/html/ssa-832273.html
https://cert-portal.siemens.com/productcert/html/ssa-943925.html
https://github.com/UTsweetyfish/CVE-2023-38545
https://github.com/bcdannyboy/CVE-2023-38545
https://github.com/dbrugman/CVE-2023-38545-POC

URL

CVE-2023-38545

Exploit prediction scoring system (EPSS) score for CVE-2023-38545

Common vulnerability scoring system (CVSS) metrics for CVE-2023-38545

Weakness enumeration for CVE-2023-38545

GitHub Security Advisory for CVE-2023-38545

OS Trackers for CVE-2023-38545

Affected software / configurations for CVE-2023-38545

References for CVE-2023-38545