CVE-2023-27537

MEDIUM

Haxx Libcurl < 8.2.12 - Double Free

Title source: rule

Description

A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

References (3)

[Exploit, Third Party Advisory] https://hackerone.com/reports/1897203

[Third Party Advisory] https://security.gentoo.org/glsa/202310-12

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20230420-0010/

Scores

CVSS v3 5.9

EPSS 0.0005

EPSS Percentile 14.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-415

Status published

Affected Products (11)

haxx/libcurl

netapp/active_iq_unified_manager

netapp/clustered_data_ontap

broadcom/brocade_fabric_operating_system_firmware

netapp/h300s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

netapp/h410s_firmware

splunk/universal_forwarder < 8.2.12

splunk/universal_forwarder

Timeline

Published Mar 30, 2023

Tracked Since Feb 18, 2026