JLSEC-2026-403

A cleartext transmission of sensitive information vulnerability exists in curl v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP...

JLSEC-2026-429 When doing TLS related transfers with reused easy or multi handles and altering the ...

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPTNOPARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcur...

CLSA-2026-1777878036 curl: Fix of 2 CVEs

CVE-2019-5436: tftp: use the current blksize for recvfrom - CVE-2016-8615: cookie: replace use of fgets with custom version...

OPENSUSE-SU-2026:10674-1 curl-8.20.0-1.1 on GA media

These are all security issues fixed in the curl-8.20.0-1.1 package on the GA media of openSUSE Tumbleweed...

Astra Linux – Vulnerability in curl

There is an information disclosure vulnerability in curl v8.1.0 when performing HTTPS transfers. libcurl may incorrectly use the read callback CURLOPTREADFUNCTION to request data to be sent, even when the CURLOPTPOSTFIELDS option is set. This occurs if the same handle was previously used to issue...

Astra Linux – Vulnerability in curl

There is a vulnerability in input validation in curl 8.0. During communication using the TELNET protocol, this may allow an attacker to send maliciously crafted user names and “telnet options” during server negotiation. The lack of proper input scrubbing allows an attacker to send content or...

Astra Linux – Vulnerability in curl

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname, but the...

Astra Linux – Vulnerability in curl

When curl is used to retrieve and parse cookies from an HTTPS server, it accepts cookies using control codes that, when sent back to an HTTP server later, may cause the server to return 400 responses. This effectively allows a “sister site” to deny service to all other sibling sites...

Astra Linux - уязвимость в curl

When performing TLS-related transfers using reused easy or multi-handles, and altering the CURLSSLOPTNOPARTIALCHAIN option, libcurl may accidentally reuse a CA store cached in memory, where the partial chain option is reversed. This goes against the user’s wishes and expectations. As a result,...

Astra Linux – Vulnerability in curl

There is a vulnerability in curl version 7.87.0 where it is possible to exploit the memory reclamation mechanism. In this vulnerability, curl can be instructed to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can and often do deny such tunnel operations. When curl...

Astra Linux - уязвимость в curl

When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally...

Astra Linux – Vulnerability in curl

When the curl command is used to retrieve content using the Metalink feature, and a user name and password are used to download the Metalink XML file, those same credentials are then passed to each server from which the curl command will attempt to download or retrieve the content. This often...

Astra Linux - уязвимость в curl

When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host...

curl: wcurl treats some URL operands after -- as curl options

I found that wcurl does not always keep operands after -- in a pure URL-data context. The documented way to pass curl options through wcurl is --curl-options, but a value supplied as a URL operand can still reach the final curl command as an option, for example wcurl -- "--url=file:///...". A...

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: curl: curl-8.20.0-0.1.hum1 aarch64, x8664 libcurl-8.20.0-0.1.hum1 aarch64, x8664 libcurl-devel-8.20.0-0.1.hum1 aarch64, x8664 libcurl-minimal-8.20.0-0.1.hum1 aarch64, x8664 curl-8.20.0-0.1.hum1.s...

curl: libcurl 8.20.0 incomplete fix for CVE-2026-7168: changing only CURLOPT_PROXYPORT leaks stale Proxy Digest auth to a different proxy

Summary: I found an incomplete-fix variant of CVE-2026-7168 in curl 8.20.0. The 8.20.0 fix clears state.proxydigest / state.authproxy when CURLOPTPROXY changes, but not when only CURLOPTPROXYPORT changes. On the same easy handle, request 1 through proxyA CURLOPTPROXYPORT=18197 learns Proxy Digest...

Curl 7.10.6 < 8.20.0 Wrong Reuse of HTTP Negotiate Connection

The version of curl installed on the remote host is 7.10.6 prior to 8.20.0. It is, therefore, affected by an authentication bypass vulnerability: - libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one,...

Curl 7.40.0 < 8.20.0 Wrong SMB Connection Reuse

The version of curl installed on the remote host is 7.40.0 prior to 8.20.0. It is, therefore, affected by a wrong SMB connection reuse vulnerability: - libcurl might in some circumstances reuse the wrong connection for SMBS transfers. The code erroneously did not consider the share name as a...

Curl 7.14.1 < 8.20.0 Proxy Credential Disclosure

The version of curl installed on the remote host is 7.14.1 prior to 8.20.0. It is, therefore, affected by a proxy credential disclosure vulnerability: - curl might erroneously pass on credentials for a first proxy to a second proxy. This flaw occurs when different proxies are configured for...

Curl 8.17.0 < 8.20.0 OCSP Stapling Bypass

The version of curl installed on the remote host is 8.17.0 prior to 8.20.0. It is, therefore, affected by an OCSP stapling bypass vulnerability: - When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is...