CVE-2023-27537

Vulnerability

A double-free vulnerability exists in libcurl versions prior to 8.0.0 when sharing HSTS data between separate handles. The sharing was introduced without thread safety considerations, and the documentation did not warn about concurrent use. Missing mutexes or thread locks allow two threads sharing the same HSTS data to trigger a double-free or use-after-free [1].

Exploitation

An attacker must cause two threads to share the same HSTS data and access it concurrently. This could be achieved if the attacker controls the threading behavior of an application using libcurl, or by exploiting another vulnerability that leads to shared HSTS state. No authentication or network position is required; the vulnerability is triggered locally through concurrent thread execution.

Impact

Successful exploitation results in a double-free or use-after-free condition, potentially leading to memory corruption. This could allow an attacker to execute arbitrary code or cause a denial of service. The confidentiality, integrity, and availability of the affected system may be compromised.

Mitigation

Upgrade to libcurl version 8.0.0 or later, which contains the fix. Gentoo users should upgrade to >=net-misc/curl-8.3.0-r2 [1]. No known workaround exists for earlier versions.