CVE-2025-0665: eventfd double close

## Summary: GitHub issue 15725 describes a double close in libcurl 8.11.1. I believe that a double close in multi threaded code should be considered a security vulnerability. A fix already exists for this, so it should be good in the next release. I am not 100% sure this is the place to be making such a comment, but I felt it was better make this private rather than commenting about it on GitHub. I do not want a reward for a bug which I was not the first to find, I just want the software I use and create to be secure. ## Affected version libcurl 8.11.1 ## Steps To Reproduce: 1. Have three threads, one writing a sensitive file (writer), one listening for outside connections (listener), and one using curl (curl thread). 2. The curl thread uses curl, and gets to the first of the two closes. It closes file descriptor X. 3. The writer opens the sensitive file. This file could be a script, a password file, a configuration file, or any other file containing sensitive data. The open file is assigned file descriptor X. 4. The curl thread gets to the second close, closing file descriptor X again. 5. The listener accepts a connection from the attacker. This connection is then assigned the file descriptor X. 6. The writer begins writing (or continues to write) sensitive data to descriptor X, which would now be sent to the attacker. A similar condition could cause the reading data from an attacker controlled stream, rather than a trusted file. ## Supporting Material/References: https://github.com/curl/curl/issues/15725 ## Impact ## Summary: Potential for attacker control of arbitrary file descriptors, provided a race condition. Potential for remote code execution, or leaking of sensitive information.