CVE-2021-22945 is a critical double free vulnerability (CWE-415) found in libcurl versions 7.73.0 through 7.78.0. Libcurl is a widely used client-side URL transfer library supporting numerous protocols, including MQTT, which is a lightweight messaging protocol often used in IoT and messaging applications. This vulnerability arises when libcurl sends data to an MQTT server: under certain conditions, the library erroneously retains a pointer to a memory area that has already been freed. Subsequently, libcurl attempts to use this stale pointer to send data again and also frees the memory a second time. This double free can lead to undefined behavior, including memory corruption, application crashes, or potentially arbitrary code execution if exploited. The vulnerability does not require any privileges or user interaction and can be triggered remotely by sending crafted data to an MQTT server that a vulnerable client connects to. The CVSS v3.1 base score is 9.1, indicating a critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and availability. Although no known exploits are reported in the wild, the nature of the vulnerability and the widespread use of libcurl make it a significant threat. The absence of patch links suggests users should upgrade to versions beyond 7.78.0 where this issue is fixed. Given libcurl’s extensive use in many software products and IoT devices, this vulnerability could be leveraged to disrupt services or compromise systems that rely on MQTT communications.

For European organizations, the impact of CVE-2021-22945 can be substantial, especially for those utilizing MQTT-based messaging in IoT deployments, industrial control systems, or cloud services that incorporate libcurl for data transfer. Exploitation could lead to denial of service through application crashes or potentially allow attackers to execute arbitrary code, compromising confidentiality and availability of critical systems. This is particularly concerning for sectors such as manufacturing, energy, healthcare, and telecommunications, where MQTT is commonly used for device telemetry and control. Disruption or compromise of these systems could result in operational downtime, data breaches, or safety risks. Additionally, since libcurl is embedded in many software products, the vulnerability could propagate through supply chains, affecting a broad range of applications and services across Europe. The critical CVSS score underscores the urgency for organizations to assess their exposure and remediate promptly to prevent exploitation.

European organizations should take the following specific actions to mitigate CVE-2021-22945: 1) Inventory all software and devices that use libcurl, focusing on versions 7.73.0 through 7.78.0, especially those handling MQTT communications. 2) Upgrade libcurl to the latest stable version beyond 7.78.0 where the vulnerability is patched. 3) For embedded or third-party products that incorporate libcurl, coordinate with vendors to obtain patched versions or apply vendor-provided mitigations. 4) Implement network-level controls to monitor and restrict MQTT traffic to trusted sources, reducing exposure to malicious MQTT servers or crafted payloads. 5) Employ runtime protections such as memory corruption mitigations (e.g., ASLR, DEP) to reduce exploitation success. 6) Conduct targeted penetration testing and fuzzing on MQTT communication components to identify residual vulnerabilities. 7) Maintain robust incident detection capabilities to identify unusual crashes or memory corruption events that may indicate exploitation attempts. These steps go beyond generic patching advice by emphasizing supply chain awareness, network segmentation, and proactive detection tailored to MQTT and libcurl usage contexts.