SB2026062427 - Multiple vulnerabilities in cURL

Description

This security bulletin contains information about 18 vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2026-10536)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in libcurl HTTP/2 stream-dependency handling when resetting and cleaning up an easy handle configured with HTTP/2 stream dependencies. A local user can invoke curl_easy_reset() and then curl_easy_cleanup() on such a handle to cause a denial of service.

The issue only affects libcurl and requires use of the rarely used HTTP/2 stream-dependency options CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E.

2) Infinite loop (CVE-ID: CVE-2026-11352)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a loop with an unreachable exit condition in the QUIC UDP receive function when processing zero-length UDP datagrams from a connected HTTP/3 server. A remote attacker can continuously stream empty datagrams to cause a denial of service.

This issue only triggers on platforms featuring the recvmmsg() function call.

3) Improper Certificate Validation (CVE-ID: CVE-2026-11564)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass certificate trust restrictions.

The vulnerability exists due to improper certificate validation in libcurl connection reuse logic when reusing an easy handle after switching from native CA trust to custom CA material. A remote attacker can present a TLS certificate trusted by the native platform store to bypass certificate trust restrictions.

This issue applies to builds that use Native CA by default on Apple operating systems or Windows, and affects the OpenSSL, GnuTLS, Schannel, and Rustls TLS backends.

4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-11586)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the WebSocket auto-PONG handling when processing rapid sequential WebSocket PING frames from a server. A remote attacker can send rapid sequential PING frames to cause a denial of service.

This issue affects both libcurl and the curl command line tool.

5) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-11856)

CWE-ID: CWE-294 - Authentication Bypass by Capture-replay

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authentication by replaying Digest authentication state.

The vulnerability exists due to authentication bypass by capture-replay in libcurl Digest authentication handling when reusing the same handle for a second transfer to a different HTTP origin. A remote attacker can receive a request containing an Authorization header intended for another origin to bypass authentication by replaying Digest authentication state.

The issue affects libcurl but not the curl command line tool. The leaked header does not reveal the other origin, and the exposed state allows replay only for the exact path of the captured request.

6) Exposure of Data Element to Wrong Session (CVE-ID: CVE-2026-8458)

CWE-ID: CWE-488 - Exposure of Data Element to Wrong Session

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to expose data to the wrong session.

The vulnerability exists due to exposure of data element to wrong session in libcurl connection reuse logic when reusing Negotiate-authenticated connections across different services. A remote user can issue a request that wrongfully reuses an existing authenticated connection to expose data to the wrong session.

The issue only occurs when using the same hostname, port number, and credentials, and when the previous connection remains alive in the connection pool.

7) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-8927)

CWE-ID: CWE-294 - Authentication Bypass by Capture-replay

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to impersonate the client to another proxy.

The vulnerability exists due to authentication bypass by capture-replay in libcurl proxy authentication state handling when reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration. A remote user can receive a leaked Proxy-Authorization header on a subsequent request to impersonate the client to another proxy.

The issue affects libcurl and does not affect the curl command line tool.

8) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2026-8932)

CWE-ID: CWE-305 - Authentication Bypass by Primary Weakness

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass client certificate authentication.

The vulnerability exists due to authentication bypass by primary weakness in libcurl connection reuse logic when reusing a previously established connection after changing mTLS client certificate settings. A remote user can reuse a connection with mismatched client certificate configuration to bypass client certificate authentication.

The issue affects libcurl and does not affect the curl command line tool.

9) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-12064)

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to connect to an unverified SSH remote host.

The vulnerability exists due to improper validation of certificate with host mismatch in the curl command line tool when processing a schemeless URL combined with --proto-default for sftp or scp. A remote attacker can present an SSH server in that connection flow to connect to an unverified SSH remote host.

This issue affects only the curl command line tool and does not affect other users of libcurl or the libcurl library itself.

10) Improper Certificate Validation (CVE-ID: CVE-2026-8286)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass TLS certificate validation.

The vulnerability exists due to improper certificate validation in connection reuse logic for STARTTLS-enabled protocol handling when reusing an existing live connection for a new transfer. A remote attacker can cause a transfer to reuse a connection with mismatched TLS settings to bypass TLS certificate validation.

This affects transfers using IMAP, POP3, SMTP, FTP, or LDAP schemes that begin in cleartext and are upgraded to TLS with STARTTLS.

11) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-8924)

CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper cookie domain validation in cookie parsing logic when processing a cookie with a trailing-dot domain for a trailing-dot hostname. A remote attacker can send a specially crafted HTTP response that sets a super cookie to disclose sensitive information.

This issue is exploitable through both libcurl and the curl command line tool, and it bypasses the Public Suffix List check.

12) Double free (CVE-ID: CVE-2026-8925)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to double free in the SASL authentication logic when processing SASL authentication with a malicious server response. A remote user can influence server behavior to trigger the double free and cause a denial of service.

Only builds using libgsasl are vulnerable, and the issue can be triggered over IMAP, POP3, and SMTP.

13) Insufficiently protected credentials (CVE-ID: CVE-2026-8926)

CWE-ID: CWE-522 - Insufficiently Protected Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to use credentials intended for another user.

The vulnerability exists due to insufficiently protected credentials in .netrc credential handling when processing a URL that specifies a username without a password. A remote user can supply a URL with a username that has no matching .netrc entry to use credentials intended for another user.

This issue occurs only when curl is configured to use a .netrc file and the target host has credentials stored for a different user.

14) Insufficiently protected credentials (CVE-ID: CVE-2026-9079)

CWE-ID: CWE-522 - Insufficiently Protected Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose proxy authentication credentials.

The vulnerability exists due to insufficiently protected credentials in libcurl proxy authentication handling when clearing proxy authentication credentials. A remote user can reuse a handle after changing proxy credentials to disclose proxy authentication credentials.

The issue affects libcurl and does not affect the curl command line tool.

15) Use-after-free (CVE-ID: CVE-2026-9080)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the libcurl socket callback handling when calling curl_easy_pause() within the CURLMOPT_SOCKETFUNCTION callback. A local user can invoke the affected callback sequence to cause a denial of service.

This issue affects libcurl and does not affect the curl command line tool.

16) Information disclosure (CVE-ID: CVE-2026-9545)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in libcurl HTTP/3 handling when reusing a cached SSL session with early data enabled after the original server is replaced by an impostor machine. A remote attacker can replace the server with an impostor machine and cause libcurl to send request bytes before certificate verification failure is enforced to disclose sensitive information.

This issue is specific to HTTP/3 with the ngtcp2 + nghttp3 backend and requires SSL session caching to remain enabled and TLS early data to be enabled.

17) Information disclosure (CVE-ID: CVE-2026-9546)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the libcurl HTTP Referer header handling when processing subsequent HTTP requests after CURLOPT_REFERER is cleared with NULL. A remote attacker can receive a subsequent request that erroneously includes a previously configured Referer header to disclose sensitive information.

This issue affects libcurl and does not affect the curl command line tool.

18) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-9547)

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a man-in-the-middle attack.

The vulnerability exists due to improper validation of certificate with host mismatch in the CURLOPT_SSH_KEYFUNCTION callback when validating SSH host keys for SCP:// or SFTP:// transfers. A remote attacker can present a host key type that does not match the key type already recorded for the host in the known_hosts file to perform a man-in-the-middle attack.

Only libcurl-based applications built with the libssh backend and using the callback are vulnerable. The curl command line tool is not affected.

Remediation

Install update from vendor's website.

References

• https://curl.se/docs/CVE-2026-10536.html
• https://github.com/curl/curl/commit/bfbff7852f050232edd3e5ca
• https://curl.se/docs/CVE-2026-11352.html
• https://github.com/curl/curl/commit/56eca2afb4806f1032872fa9
• https://curl.se/docs/CVE-2026-11564.html
• https://github.com/curl/curl/commit/d69bfad3fa3daf5e72331f6870667
• https://curl.se/docs/CVE-2026-11586.html
• https://github.com/curl/curl/commit/849317ff5c5a5e13f50ec3d0
• https://curl.se/docs/CVE-2026-11856.html
• https://github.com/curl/curl/commit/5c6b4880357ab3e72967c1c45c
• https://curl.se/docs/CVE-2026-8458.html
• https://github.com/curl/curl/commit/5e99b73cf441d9c369768b9cd
• https://curl.se/docs/CVE-2026-8927.html
• https://github.com/curl/curl/commit/5c225384b8d52c6
• https://curl.se/docs/CVE-2026-8932.html
• https://github.com/curl/curl/commit/7541ae569d82fb308a5e2d94
• https://curl.se/docs/CVE-2026-12064.html
• https://github.com/curl/curl/commit/ab3bb8cd8be8f9d4acb97da041
• https://curl.se/docs/CVE-2026-8286.html
• https://github.com/curl/curl/commit/a86efdd7ca5433de9231e6
• https://curl.se/docs/CVE-2026-8924.html
• https://github.com/curl/curl/commit/51beed175dbfc37da3113f6acc
• https://curl.se/docs/CVE-2026-8925.html
• https://github.com/curl/curl/commit/3da249e1f0716c06644ed3522
• https://curl.se/docs/CVE-2026-8926.html
• https://github.com/curl/curl/commit/4ae1d7cc2643e47
• https://curl.se/docs/CVE-2026-9079.html
• https://github.com/curl/curl/commit/88c7e16cceec816a2df45c89
• https://curl.se/docs/CVE-2026-9080.html
• https://github.com/curl/curl/commit/5ab34cba42e4ee4282fe
• https://curl.se/docs/CVE-2026-9545.html
• https://github.com/curl/curl/commit/7b9613fa9b1a5e04301a39
• https://curl.se/docs/CVE-2026-9546.html
• https://github.com/curl/curl/commit/862e8a74a84478d82973471
• https://curl.se/docs/CVE-2026-9547.html
• https://github.com/curl/curl/commit/0b8dbbc63c98777e4584cb9