CVE-2020-8231

Vulnerability

CVE-2020-8231 is a dangling pointer issue in libcurl versions 7.29.0 through 7.71.1 [1]. When an application uses the multi API and sets the CURLOPT_CONNECT_ONLY option, libcurl stores a pointer to the internal connectdata struct for that easy handle. If the connect-only connection is later closed (e.g., due to idle timeout) and a new connection happens to reuse the same memory address, the stored pointer becomes stale. When the application subsequently uses the original easy handle to send data (e.g., via curl_easy_send()), libcurl may incorrectly use the new connection at that memory address [1].

Exploitation

The attacker must be the recipient of the unintended data transfer. The exploit requires the application to: (1) create a connect-only connection with libcurl, (2) perform other transfers that cause the initial connection to close and a new connection to be allocated at the same memory address, and (3) then use the original easy handle to send data. This race condition is rare and cannot be triggered by the curl command-line tool; only applications using libcurl's multi API with CURLOPT_CONNECT_ONLY are affected [1].

Impact

A successful exploitation could cause the application to inadvertently send data over a different connection than intended, potentially exposing sensitive information to an unintended recipient [1]. The integrity and confidentiality of the data can be compromised, but the attacker does not gain code execution or elevated privileges.

Mitigation

The vulnerability is fixed in libcurl version 7.72.0 and later [1]. Gentoo users should upgrade to net-misc/curl-7.74.0 or later [2]. There is no known workaround for unpatched versions [2]. The flaw is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.