SB2026070135 - Ubuntu update for curl
Published: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Improper Certificate Validation (CVE-ID: CVE-2026-8286)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass TLS certificate validation.
The vulnerability exists due to improper certificate validation in connection reuse logic for STARTTLS-enabled protocol handling when reusing an existing live connection for a new transfer. A remote attacker can cause a transfer to reuse a connection with mismatched TLS settings to bypass TLS certificate validation.
This affects transfers using IMAP, POP3, SMTP, FTP, or LDAP schemes that begin in cleartext and are upgraded to TLS with STARTTLS.
2) Exposure of Data Element to Wrong Session (CVE-ID: CVE-2026-8458)
CWE-ID: CWE-488 - Exposure of Data Element to Wrong Session
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to expose data to the wrong session.
The vulnerability exists due to exposure of data element to wrong session in libcurl connection reuse logic when reusing Negotiate-authenticated connections across different services. A remote user can issue a request that wrongfully reuses an existing authenticated connection to expose data to the wrong session.
The issue only occurs when using the same hostname, port number, and credentials, and when the previous connection remains alive in the connection pool.
3) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-8924)
CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper cookie domain validation in cookie parsing logic when processing a cookie with a trailing-dot domain for a trailing-dot hostname. A remote attacker can send a specially crafted HTTP response that sets a super cookie to disclose sensitive information.
This issue is exploitable through both libcurl and the curl command line tool, and it bypasses the Public Suffix List check.
4) Double free (CVE-ID: CVE-2026-8925)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to double free in the SASL authentication logic when processing SASL authentication with a malicious server response. A remote user can influence server behavior to trigger the double free and cause a denial of service.
Only builds using libgsasl are vulnerable, and the issue can be triggered over IMAP, POP3, and SMTP.
5) Insufficiently protected credentials (CVE-ID: CVE-2026-8926)
CWE-ID: CWE-522 - Insufficiently Protected Credentials
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to use credentials intended for another user.
The vulnerability exists due to insufficiently protected credentials in .netrc credential handling when processing a URL that specifies a username without a password. A remote user can supply a URL with a username that has no matching .netrc entry to use credentials intended for another user.
This issue occurs only when curl is configured to use a .netrc file and the target host has credentials stored for a different user.
6) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-8927)
CWE-ID: CWE-294 - Authentication Bypass by Capture-replay
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to impersonate the client to another proxy.
The vulnerability exists due to authentication bypass by capture-replay in libcurl proxy authentication state handling when reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration. A remote user can receive a leaked Proxy-Authorization header on a subsequent request to impersonate the client to another proxy.
The issue affects libcurl and does not affect the curl command line tool.
7) Insufficiently protected credentials (CVE-ID: CVE-2026-9079)
CWE-ID: CWE-522 - Insufficiently Protected Credentials
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose proxy authentication credentials.
The vulnerability exists due to insufficiently protected credentials in libcurl proxy authentication handling when clearing proxy authentication credentials. A remote user can reuse a handle after changing proxy credentials to disclose proxy authentication credentials.
The issue affects libcurl and does not affect the curl command line tool.
8) Use-after-free (CVE-ID: CVE-2026-9080)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the libcurl socket callback handling when calling curl_easy_pause() within the CURLMOPT_SOCKETFUNCTION callback. A local user can invoke the affected callback sequence to cause a denial of service.
This issue affects libcurl and does not affect the curl command line tool.
9) Information disclosure (CVE-ID: CVE-2026-9545)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in libcurl HTTP/3 handling when reusing a cached SSL session with early data enabled after the original server is replaced by an impostor machine. A remote attacker can replace the server with an impostor machine and cause libcurl to send request bytes before certificate verification failure is enforced to disclose sensitive information.
This issue is specific to HTTP/3 with the ngtcp2 + nghttp3 backend and requires SSL session caching to remain enabled and TLS early data to be enabled.
10) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-9547)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to improper validation of certificate with host mismatch in the CURLOPT_SSH_KEYFUNCTION callback when validating SSH host keys for SCP:// or SFTP:// transfers. A remote attacker can present a host key type that does not match the key type already recorded for the host in the known_hosts file to perform a man-in-the-middle attack.
Only libcurl-based applications built with the libssh backend and using the callback are vulnerable. The curl command line tool is not affected.
Remediation
Install update from vendor's website.