SB2026071429 - Ubuntu update for curl



SB2026071429 - Ubuntu update for curl

Published: July 14, 2026

Security Bulletin ID SB2026071429
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 70% Low 30%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2024-11053)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when using a .netrc file for credentials and an instruction to follow HTTP redirects. The cURL library can leak credentials intended for the first URL prior to redirection. This however will only occur if the .netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.


2) Improper certificate validation (CVE-ID: CVE-2024-8096)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to curl might fail to detect some OCSP problems when configured to use the Certificate Status Request TLS extension. A remote attacker can bypass OCSP stapling protection and perform a Man-in-the-Middle (MitM) attack.

Successful exploitation of the vulnerability requires that curl is build to use GnuTLS library.


3) Use-after-free (CVE-ID: CVE-2026-10536)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in libcurl HTTP/2 stream-dependency handling when resetting and cleaning up an easy handle configured with HTTP/2 stream dependencies. A local user can invoke curl_easy_reset() and then curl_easy_cleanup() on such a handle to cause a denial of service.

The issue only affects libcurl and requires use of the rarely used HTTP/2 stream-dependency options CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E.


4) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2026-5545)

CWE-ID: CWE-305 - Authentication Bypass by Primary Weakness

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to wrong reuse of HTTP Negotiate authentication connection. A remote attacker can execute arbitrary requests under the wrong user context.


5) Exposure of Data Element to Wrong Session (CVE-ID: CVE-2026-5773)

CWE-ID: CWE-488 - Exposure of Data Element to Wrong Session

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper reuse of connection for SMB(S) transfers. A remote attacker can gain access to sensitive information on the system.


6) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-7168)

CWE-ID: CWE-294 - Authentication Bypass by Capture-replay

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to authentication bypass by capture-replay. A remote attacker can leak and reuse Digest proxy authentication state across proxies to impersonate the client.


7) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-12064)

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to connect to an unverified SSH remote host.

The vulnerability exists due to improper validation of certificate with host mismatch in the curl command line tool when processing a schemeless URL combined with --proto-default for sftp or scp. A remote attacker can present an SSH server in that connection flow to connect to an unverified SSH remote host.

This issue affects only the curl command line tool and does not affect other users of libcurl or the libcurl library itself.


8) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-11586)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the WebSocket auto-PONG handling when processing rapid sequential WebSocket PING frames from a server. A remote attacker can send rapid sequential PING frames to cause a denial of service.

This issue affects both libcurl and the curl command line tool.


9) Infinite loop (CVE-ID: CVE-2026-11352)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a loop with an unreachable exit condition in the QUIC UDP receive function when processing zero-length UDP datagrams from a connected HTTP/3 server. A remote attacker can continuously stream empty datagrams to cause a denial of service.

This issue only triggers on platforms featuring the recvmmsg() function call.


10) Improper Certificate Validation (CVE-ID: CVE-2026-11564)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass certificate trust restrictions.

The vulnerability exists due to improper certificate validation in libcurl connection reuse logic when reusing an easy handle after switching from native CA trust to custom CA material. A remote attacker can present a TLS certificate trusted by the native platform store to bypass certificate trust restrictions.

This issue applies to builds that use Native CA by default on Apple operating systems or Windows, and affects the OpenSSL, GnuTLS, Schannel, and Rustls TLS backends.


Remediation

Install update from vendor's website.