SB2026071466 - SUSE update for curl
Published: July 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-10536)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in libcurl HTTP/2 stream-dependency handling when resetting and cleaning up an easy handle configured with HTTP/2 stream dependencies. A local user can invoke curl_easy_reset() and then curl_easy_cleanup() on such a handle to cause a denial of service.
The issue only affects libcurl and requires use of the rarely used HTTP/2 stream-dependency options CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E.
2) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-12064)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to connect to an unverified SSH remote host.
The vulnerability exists due to improper validation of certificate with host mismatch in the curl command line tool when processing a schemeless URL combined with --proto-default for sftp or scp. A remote attacker can present an SSH server in that connection flow to connect to an unverified SSH remote host.
This issue affects only the curl command line tool and does not affect other users of libcurl or the libcurl library itself.
3) Cleartext transmission of sensitive information (CVE-ID: CVE-2026-4873)
CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to connection reuse ignores TLS requirement. A remote attacker can gain access to sensitive data.
4) Improper Certificate Validation (CVE-ID: CVE-2026-8286)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass TLS certificate validation.
The vulnerability exists due to improper certificate validation in connection reuse logic for STARTTLS-enabled protocol handling when reusing an existing live connection for a new transfer. A remote attacker can cause a transfer to reuse a connection with mismatched TLS settings to bypass TLS certificate validation.
This affects transfers using IMAP, POP3, SMTP, FTP, or LDAP schemes that begin in cleartext and are upgraded to TLS with STARTTLS.
5) Exposure of Data Element to Wrong Session (CVE-ID: CVE-2026-8458)
CWE-ID: CWE-488 - Exposure of Data Element to Wrong Session
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to expose data to the wrong session.
The vulnerability exists due to exposure of data element to wrong session in libcurl connection reuse logic when reusing Negotiate-authenticated connections across different services. A remote user can issue a request that wrongfully reuses an existing authenticated connection to expose data to the wrong session.
The issue only occurs when using the same hostname, port number, and credentials, and when the previous connection remains alive in the connection pool.
6) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-8924)
CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper cookie domain validation in cookie parsing logic when processing a cookie with a trailing-dot domain for a trailing-dot hostname. A remote attacker can send a specially crafted HTTP response that sets a super cookie to disclose sensitive information.
This issue is exploitable through both libcurl and the curl command line tool, and it bypasses the Public Suffix List check.
7) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-8927)
CWE-ID: CWE-294 - Authentication Bypass by Capture-replay
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to impersonate the client to another proxy.
The vulnerability exists due to authentication bypass by capture-replay in libcurl proxy authentication state handling when reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration. A remote user can receive a leaked Proxy-Authorization header on a subsequent request to impersonate the client to another proxy.
The issue affects libcurl and does not affect the curl command line tool.
8) Insufficiently protected credentials (CVE-ID: CVE-2026-9079)
CWE-ID: CWE-522 - Insufficiently Protected Credentials
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose proxy authentication credentials.
The vulnerability exists due to insufficiently protected credentials in libcurl proxy authentication handling when clearing proxy authentication credentials. A remote user can reuse a handle after changing proxy credentials to disclose proxy authentication credentials.
The issue affects libcurl and does not affect the curl command line tool.
9) Use-after-free (CVE-ID: CVE-2026-9080)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the libcurl socket callback handling when calling curl_easy_pause() within the CURLMOPT_SOCKETFUNCTION callback. A local user can invoke the affected callback sequence to cause a denial of service.
This issue affects libcurl and does not affect the curl command line tool.
10) Information disclosure (CVE-ID: CVE-2026-9545)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in libcurl HTTP/3 handling when reusing a cached SSL session with early data enabled after the original server is replaced by an impostor machine. A remote attacker can replace the server with an impostor machine and cause libcurl to send request bytes before certificate verification failure is enforced to disclose sensitive information.
This issue is specific to HTTP/3 with the ngtcp2 + nghttp3 backend and requires SSL session caching to remain enabled and TLS early data to be enabled.
11) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-9547)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to improper validation of certificate with host mismatch in the CURLOPT_SSH_KEYFUNCTION callback when validating SSH host keys for SCP:// or SFTP:// transfers. A remote attacker can present a host key type that does not match the key type already recorded for the host in the known_hosts file to perform a man-in-the-middle attack.
Only libcurl-based applications built with the libssh backend and using the callback are vulnerable. The curl command line tool is not affected.
Remediation
Install update from vendor's website.