Come join us at curl up 2025 on May 3 - 4 in Prague. Attend, speak, sponsor!
curl / Docs / curl CVEs / eventfd double close
Awarded 505 USD

CVE-2025-0665

eventfd double close

Project curl Security Advisory, February 5th 2025 - Permalink

VULNERABILITY

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

INFO

This flaw requires libcurl to get built with the threaded resolver

It requires that eventfd is used in the curl build. This feature is only used on 64-bit architectures.

The eventfd socket is used for inter-thread messaging and since the communication was originally written to use socketpair() only, there was two close() calls done and the superfluous one was left accidentally used because of an #ifdef mistake.

This bug was reported (and fixed) immediately after the 8.11.1 release, but the security impact was not considered until later. This bug causes libcurl to act unreliably which many users have noticed and either avoided eventfd or the vulnerable version, thus somewhat reducing the impact of this problem.

It can also be worth noting that both close() calls are typically called within a few dozens of instructions, severely limiting the ability for an external party to control which other file descriptor this can be made to affect.

This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0665 to this issue.

CWE-1341: Multiple Releases of Same Resource or Handle

Severity: Low

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

SOLUTION

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 8.12.0

B - Apply the patch to your version and rebuild

C - Disable eventfd use in your build

D - Use the c-ares resolver backend

TIMELINE

This issue was reported to the curl project on January 22, 2025. We contacted distros@openwall on January 28, 2025.

curl 8.12.0 was released on February 5 2025 around 08:00 UTC, coordinated with the publication of this advisory.

CREDITS

The original bug was first reported as a "normal" bug, by:

Thanks a lot!