curl / Docs / curl CVEs / use after free in handle close
Awarded 100 USD


use after free in handle close

Project curl Security Advisory, October 31st 2018 - Permalink


libcurl contains a heap use after free flaw in code related to closing an easy handle.

When closing and cleaning up an "easy" handle in the Curl_close() function, the library code first frees a struct (without clearing the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.


The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-16840 to this issue.

CWE-416: Use After Free

Severity: Low


curl is used by many applications, but not always advertised as such.



We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl to version 7.62.0

B - Apply the patch to your version and rebuild


It was reported to the curl project on October 14, 2018. We contacted distros@openwall on October 22.

curl 7.62.0 was released on October 31 2018, coordinated with the publication of this advisory.


Thanks a lot!