PatchSiren cyber security CVE debrief
CVE-2024-2398 curl CVE debrief
CVE-2024-2398 is a memory leak vulnerability in libcurl that occurs when HTTP/2 server push is enabled and the received headers exceed the maximum allowed limit of 1000. When libcurl aborts the server push under this condition, it fails to free all previously allocated headers, resulting in memory leakage. The error condition fails silently, making detection difficult for applications. The vulnerability was published on October 29, 2024, and last modified on May 5, 2026. While the underlying issue exists in libcurl, this advisory was issued by CISA regarding Hitachi Energy's MSM product, which was subsequently updated to indicate no affected products as of April 28, 2026, with a final republication update on May 5, 2026. The CVSS 3.1 score of 8.6 (HIGH) reflects network attack vector, low attack complexity, no required privileges or user interaction, and impacts to confidentiality, integrity, and availability.
- Vendor
- curl
- Product
- SINEMA Remote Connect Client
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-10
- Original CVE updated
- 2024-09-10
- Advisory published
- 2024-09-10
- Advisory updated
- 2024-09-10
Who should care
Organizations running applications that use libcurl with HTTP/2 server push enabled, particularly in industrial control system environments where MSM Client applications are deployed. System administrators responsible for memory-constrained environments or long-running services using libcurl should prioritize monitoring and patching.
Technical summary
This vulnerability stems from improper resource cleanup in libcurl's HTTP/2 server push implementation. When an application enables HTTP/2 server push and receives push headers exceeding the 1000-header limit, libcurl aborts the push but fails to deallocate all previously allocated header memory. The silent failure mode prevents applications from detecting and responding to the error condition. The memory leak could lead to resource exhaustion over time in affected applications. The advisory was updated in 2026 to indicate no affected products for Hitachi Energy MSM, though the underlying libcurl vulnerability remains relevant for other implementations.
Defensive priority
HIGH
Recommended defensive actions
- Review applications using libcurl with HTTP/2 server push enabled to determine exposure to this memory leak condition
- Monitor memory usage in applications that process HTTP/2 server push with potentially large header sets
- Apply libcurl updates when available from upstream to address the memory leak in header handling
- Implement network segmentation for systems running MSM Client applications to prevent internet-facing exposure
- Apply user access management controls and current antivirus software on systems with MSM Client installed
- Follow CIS hardening guidelines for host operating systems connecting to MSM to prevent lateral movement
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-24-319-16, which was initially published on October 29, 2024, and underwent multiple revisions including a republication on November 14, 2024, a revision on April 28, 2026 indicating no affected products, and a final update on May 5, 2026. The advisory references Hitachi Energy document 8DBD000205. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L is provided in the source. CWE-772 (Missing Release of Resource after Effective Lifetime) is associated with this vulnerability.
Official resources
-
CVE-2024-2398 CVE record
CVE.org
-
CVE-2024-2398 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-29