CVE-2023-38545 Microsoft CVE debrief

Who should care

Teams running curl/libcurl directly, and vendors or application owners shipping products that embed libcurl, should care most. Risk is highest where SOCKS5 proxying is enabled or where downstream packages inherit the vulnerable library build.

Technical summary

The flaw is a CWE-787 out-of-bounds write in curl's SOCKS5 proxy handshake logic. According to the CVE description, hostnames longer than 255 bytes should trigger local name resolution, but during a slow handshake a local variable controlling that choice could take the wrong value. When that happens, curl may copy the too-long hostname into a heap-based target buffer instead of the resolved address, creating a remote heap buffer overflow. NVD lists affected libcurl versions from 7.69.0 up to, but not including, 8.4.0, and also includes several downstream products and operating system builds that bundle vulnerable curl components.

Defensive priority

Urgent. This is a remotely reachable, unauthenticated, no-user-interaction memory corruption issue with critical impact potential.

Recommended defensive actions

• Upgrade curl/libcurl to 8.4.0 or later in all directly managed systems.
• Patch or replace downstream products and OS packages that bundle affected libcurl builds.
• Inventory where SOCKS5 proxy support is used, since that is the vulnerable handshake path described in the CVE.
• Validate vendor advisories and package notices for embedded curl updates before assuming a system is safe.
• Monitor for unexpected crashes or instability in applications that use libcurl through proxy connections.

Evidence notes

The CVE was published on 2023-10-18 and later modified on 2026-05-12 in the supplied NVD record. The supplied NVD data describes the issue as a heap-based buffer overflow in curl's SOCKS5 proxy handshake and marks libcurl 7.69.0 through 8.3.x as affected, with 8.4.0 as the exclusion boundary. No KEV listing was supplied.

Official resources