Cyber Resilience

CVE-2024-2398

HighPublic PoC

Published: 27 March 2024

Published
27 March 2024
Modified
30 July 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0196 83.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2398 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in Apple Macos. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all…

more

the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

haxx
curl
7.44.0 — 8.7.0
apple
macos
≤ 12.7.6 · 13.0 — 13.6.8 · 14.0 — 14.6
fedoraproject
fedora
39, 40
netapp
active iq unified manager
all versions
netapp
ontap select deploy administration utility
all versions
netapp
brocade fabric operating system
all versions
netapp
bootstrap os
all versions
netapp
h300s firmware
all versions
netapp
h410s firmware
all versions
netapp
h500s firmware
all versions
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-772

Ensures network resources are released once the session ends or becomes inactive, closing the window for missing-release weaknesses.

References