libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
Conclusion & alert: CVE-2024-2466 is rated High Exploit Risk (65.4/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.30%). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.15% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.15% | 1.30% | +1.15% |
| 2 | 2026-03-04 | 0.22% | 0.15% | -0.07% |
| 3 | 2026-03-01 | — | 0.22% | — |
Full EPSS history (32 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
3.9 | 2.5 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2024-2466: 1 source package rows (curl); 207 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 200. | https://security.alpinelinux.org/vuln/CVE-2024-2466 |
debian
|
unimportant | CVE-2024-2466 unimportant priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2024-2466 |
gentoo
|
normal | CVE-2024-2466: 1 GLSA(s) (202409-20), 1 atom(s) (net-misc/curl); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-2466 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2024-2466 |
suse
|
medium | — | https://www.suse.com/security/cve/CVE-2024-2466/ |
ubuntu
|
medium | CVE-2024-2466 medium priority: Ubuntu including 1 source packages (curl), 8 status rows across 8 suites (bionic, focal, jammy, mantic, noble, trusty, upstream, xenial): not-affected 7, released 1. | https://ubuntu.com/security/CVE-2024-2466 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| haxx | curl | >= 8.5.0, < 8.7.0 | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* |
| apple | macos | < 12.7.6 | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
| apple | macos | >= 13.0, < 13.6.8 | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
| apple | macos | >= 14.0, < 14.6 | cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
| netapp | h700s_firmware | — | cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* |
| netapp | bootstrap_os | — | cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:* |
| netapp | h300s_firmware | — | cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* |
| netapp | h410s_firmware | — | cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* |
| netapp | h500s_firmware | — | cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://seclists.org/fulldisclosure/2024/Jul/18 | Mailing List Third Party Advisory |
| http://seclists.org/fulldisclosure/2024/Jul/19 | Mailing List Third Party Advisory |
| http://seclists.org/fulldisclosure/2024/Jul/20 | Mailing List Third Party Advisory |
| http://www.openwall.com/lists/oss-security/2024/03/27/4 | Mailing List Third Party Advisory |
| https://curl.se/docs/CVE-2024-2466.html | Vendor Advisory |
| https://curl.se/docs/CVE-2024-2466.json | Vendor Advisory |
| https://hackerone.com/reports/2416725 | Exploit Issue Tracking Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20240503-0010/ | Third Party Advisory |
| https://support.apple.com/kb/HT214118 | Release Notes Vendor Advisory |
| https://support.apple.com/kb/HT214119 | Release Notes Vendor Advisory |
| https://support.apple.com/kb/HT214120 | Release Notes Vendor Advisory |
| https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468 | Exploit Mitigation Third Party Advisory |