CVE-2023-28320
Description
A race condition in curl's synchronous resolver leads to denial of service in multi-threaded applications via a non-mutex-protected global buffer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in curl's synchronous resolver leads to denial of service in multi-threaded applications via a non-mutex-protected global buffer.
Vulnerability
A denial of service vulnerability exists in curl <v8.1.0 in the synchronous resolver backend. When libcurl is built to use the synchronous resolver, it uses alarm() and siglongjmp() to time out slow name resolutions. The global buffer used in this process is not mutex protected, leading to a race condition in multi-threaded applications that can cause crashes or other misbehavior [4].
Exploitation
An attacker can trigger a slow name resolution (e.g., by providing a malicious DNS server or delaying responses) in a multi-threaded application using libcurl. If multiple threads simultaneously perform name resolutions that time out, the race condition on the global buffer can cause the application to crash due to undefined behavior.
Impact
Successful exploitation results in a denial of service (application crash) in multi-threaded applications that use libcurl with the synchronous resolver. No privilege escalation or data disclosure is reported.
Mitigation
The vulnerability is fixed in curl version 8.1.0 and later. Gentoo recommends upgrading to >=net-misc/curl-8.3.0-r2 [4]. No known workaround exists; users should update their curl installations.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
36- osv-coords34 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/curl&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/curl&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/curl&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.0.1-150400.5.23.1+ 33 more
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.1.0-1.1
- (no CPE)range: < 7.60.0-150000.51.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.60.0-150000.51.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 8.0.1-150400.5.23.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.37.0-37.98.1
- (no CPE)range: < 7.60.0-4.56.1
- (no CPE)range: < 7.60.0-4.56.1
- (no CPE)range: < 8.0.1-11.65.2
- (no CPE)range: < 7.60.0-150000.51.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.60.0-4.56.1
- (no CPE)range: < 8.0.1-11.65.2
- (no CPE)range: < 7.60.0-150000.51.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 8.0.1-11.65.2
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.66.0-150200.4.57.1
- (no CPE)range: < 7.60.0-4.56.1
- (no CPE)range: < 7.60.0-4.56.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- security.gentoo.org/glsa/202310-12mitrevendor-advisory
- seclists.org/fulldisclosure/2023/Jul/47mitremailing-list
- seclists.org/fulldisclosure/2023/Jul/48mitremailing-list
- seclists.org/fulldisclosure/2023/Jul/52mitremailing-list
- hackerone.com/reports/1929597mitre
- security.netapp.com/advisory/ntap-20230609-0009/mitre
- support.apple.com/kb/HT213843mitre
- support.apple.com/kb/HT213844mitre
- support.apple.com/kb/HT213845mitre
News mentions
0No linked articles in our index yet.