CLSA-2026-1779358660 curl: Fix of 2 CVEs

CVE-2026-5773: wrong reuse of SMB connection; disable connection reuse for SMBS so a subsequent transfer cannot wrongfully reuse a pooled connection to a different share - CVE-2026-6276: clear stale custom-Host cookiehost between requests on the same easy handle cookie leak across origins...

curl: NULL pointer dereference in libcurl URL API redirect_url() with CURLU_DEFAULT_SCHEME

Summary A NULL pointer dereference appears to exist in libcurl's URL API path when curlurlset handles a relative URL together with CURLUDEFAULTSCHEME on a CURLU handle that has host/path information but no stored u-scheme. The issue is in lib/urlapi.c inside redirecturl, where u-scheme is used in...

EUVD-2026-29930

When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances...

EUVD-2026-29924

libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...

CVE-2026-5545

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...

CVE-2026-5773

libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...

CVE-2026-6276 stale custom cookie host causes cookie leak

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...

CVE-2026-5545

CVE-2026-5545 affects libcurl: a logical error in connection reuse can cause a request to a server usingNegotiate authentication with user1:password1 to be mistakenly sent over a connection still authenticated for user1 when a second operation tries to authenticate as user2:password2 on the same ...

CLSA-2026-1778175425 curl: Fix of 2 CVEs

CVE-2016-8624: invalid URL parsing with '' - CVE-2016-8623: use-after-free via shared cookies...

CLSA-2026-1777877363 curl: Fix of 2 CVEs

CVE-2019-5436: tftp: use the current blksize for recvfrom - CVE-2016-8615: cookie: replace use of fgets with custom version...

JLSEC-2026-423 curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the...

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...

JLSEC-2026-430 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file,...

When doing SSH-based transfers using either SCP or SFTP, and setting the knownhosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global knownhosts file...

JLSEC-2026-439 When doing a second SMB request to the same host again, curl would wrongly use a data pointer...

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory...

CLSA-2026-1777878036 curl: Fix of 2 CVEs

CVE-2019-5436: tftp: use the current blksize for recvfrom - CVE-2016-8615: cookie: replace use of fgets with custom version...

CLSA-2026-1773939685 curl: Fix of CVE-2026-3783

CVE-2026-3783: prevent bearer token leak on HTTPS redirect when .netrc contains entries for the redirected host...

ALPINE-CVE-2026-3784

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection...

CVE-2026-1965

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...

CVE-2026-1965

CVE-2026-1965 concerns a vulnerability in libcurl where, under Negotiate authentication, a live connection could be reused for a different user’s credentials. The issue arises because Negotiate sometimes authenticates connections rather than individual requests, allowing a second request to reuse...

CURL-CVE-2026-3805 use after free in SMB connection reuse

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory...

[SECURITY] Fedora 43 Update: osslsigncode-2.12-1.fc43

osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where these exist...