-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability occurs because curl's connection cache could reuse a connection intended for an IPv6 address with a specific zone ID for a new request to the same IPv6 address but with a different zone ID (or no zone ID). This mix-up could lead to sending data to, or receiving data from, an unintended endpoint.
The provided patch directly modifies the hashkey function in lib/conncache.c. This function generates a string key used to identify and look up connections in the cache.
The critical change is the addition of conn->scope_id (the IPv6 zone identifier) to the information used to create this key: msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);.
Before this change, the hashkey function (as shown by the removed lines in the patch: msnprintf(buf, len, "%ld%s", port, hostname);) did not include the scope_id. This omission is the root cause of the vulnerability. Because the zone ID was not part of the key, connections to the same host and port but different zone IDs would hash to the same key, making them indistinguishable in the cache and allowing incorrect reuse.
Therefore, the hashkey function, in its state prior to the patch, is the function whose flawed logic directly leads to the vulnerability. The functions that call hashkey and then use its output to perform cache lookups (e.g., Curl_conncache_find_conn, though not directly modified in this specific patch snippet) would be the ones executing the incorrect reuse, but hashkey is where the identifying information was lost.