CVE-2025-0665: libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVE-2025-0665 [HIGH] CWE-1341 eventfd double close eventfd double close FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this. Mariner: Mariner curl: curl Customer Action Required: Yes Remediation: CBL-Mariner Releases Reference: https://learn.microsoft.com/en-us/azure/azure-linu

CVE-2025-0665 [HIGH] CWE-1341 libcurl: Double Close of Eventfd in libcurl libcurl: Double Close of Eventfd in libcurl libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. A flaw was found in libcurl. This vulnerability allows an attacker to trigger a double-close of an eventfd file descriptor via a connection teardown after a threaded name resolution, potentially leading to undefined behavior or a denial of service. Statement: No enterprise offerings shipped by Red Hat contains the vulnerable version of the package. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. P

CVE-2025-0665 [HIGH] CVE-2025-0665: curl - libcurl would wrongly close the same eventfd file descriptor twice when taking d... libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 8.12.0+git20250209.89ed161+ds-1) sid: resolved (fixed in 8.12.0+git20250209.89ed161+ds-1) trixie: resolved (fixed in 8.12.0+git20250209.89ed161+ds-1)

CVE-2025-0665 [HIGH] CVE-2025-0665: libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolv libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVE-2025-0665 [CRITICAL] CWE-1341 GHSA-cc57-hgv8-p56r: libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolv libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVE-2025-0665 [HIGH] CVE-2025-0665: libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolv libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVE-2025-0665 [HIGH] CVE-2025-0665: eventfd double close CVE-2025-0665: eventfd double close ## Summary: GitHub issue 15725 describes a double close in libcurl 8.11.1. I believe that a double close in multi threaded code should be considered a security vulnerability. A fix already exists for this, so it should be good in the next release. I am not 100% sure this is the place to be making such a comment, but I felt it was better make this private rather than commenting about it on GitHub. I do not want a reward for a bug which I was not the first to find, I just want the software I use and create to be secure. ## Affected version libcurl 8.11.1 ## Steps To Reproduce: 1. Have three threads, one writing a sensitive file (writer), one listening for outside connections (listener), and one using curl (curl thread). 2. The curl thread uses curl, and

CVE-2025-0665 [HIGH] CVE-2025-0665 libcurl: Double Close of Eventfd in libcurl CVE-2025-0665 libcurl: Double Close of Eventfd in libcurl libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

Automated Vulnerability Validation and Verification: A Large Language Model Approach Automated Vulnerability Validation and Verification: A Large Language Model Approach Alireza Lotfi Department of Computer Science Purdue University West Lafayette, IN, USA [email protected] Charalampos Katsis Department of Computer Science Purdue University West Lafayette, IN, USA [email protected] Elisa Bertino Department of Computer Science Purdue University West Lafayette, IN, USA [email protected] ## Abstract Software vulnerabilities remain a critical security challenge, providing entry points for attackers to compromise enterprise networks. Despite advances in security practices, the lack of high-quality datasets capturing the behavior of diverse exploits hinders effective vulnerability assessment and mitigation. This paper introduces an end-to-end multi-step pipeline