CVE-2023-27537

Name of the Vulnerable Software and Affected Versions libcurl versions prior to 8.0.0

Description A double free vulnerability exists in libcurl when sharing HSTS data between separate handles. This sharing was introduced without considerations for doing this sharing across separate threads, but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free. The vulnerability may allow a remote attacker to execute a double-free or use-after-free, potentially resulting in a denial of service condition.

Recommendations For libcurl versions prior to 8.0.0, consider disabling the sharing of HSTS data between separate handles until a patch is available. As a temporary workaround, restrict access to the HSTS data to minimize the risk of exploitation. Avoid using the shared HSTS data in multi-threaded environments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.