CVE-2025-0665 — Multiple Releases of Same Resource or Handle in Curl

CWE-1341 — Multiple Releases of Same Resource or Handle9 documents8 sources

Severity

7.0HIGHNVD

EPSS

4.6%

top 10.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl

Timeline

PublishedFeb 5

Latest updateFeb 11

Description

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 2.2 | Impact: 4.7

Affected Packages4 packages

▶Alpinehaxx/curl< 8.12.0-r0+5

▶Debianhaxx/curl< 8.12.0+git20250209.89ed161+ds-1+1

▶CVEListV5curl/curl8.11.1 — 8.11.1

▶NVDhaxx/curl8.11.1

🔴Vulnerability Details

OSV

CVE-2025-0665: libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolv↗2025-02-05

▶

GHSA

GHSA-cc57-hgv8-p56r: libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolv↗2025-02-05

▶

CVEList

eventfd double close↗2025-02-05

▶

OSV

CVE-2025-0665: libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolv↗2025-02-05

▶

📋Vendor Advisories

Microsoft

eventfd double close↗2025-02-11

▶

Red Hat

libcurl: Double Close of Eventfd in libcurl↗2025-02-05

▶

Debian

CVE-2025-0665: curl - libcurl would wrongly close the same eventfd file descriptor twice when taking d...↗2025

▶

💬Community

HackerOne

CVE-2025-0665: eventfd double close↗2025-02-07

▶