Home / mailingsPDF  

[USN-8099-1] curl vulnerabilities

Posted on 16 March 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8099-1
March 16, 2026

curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Zhicheng Chen discovered that curl could incorrectly reuse the wrong
connection for Negotiate-authenticated HTTP or HTTPS requests. This could
result in the use of credentials from a different connection, contrary to
expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965)

It was discovered that curl incorrectly leaked OAuth2 bearer tokens when
following a redirect. This could result in tokens being sent to the wrong
host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS.
(CVE-2026-3783)

Muhamad Arga Reksapati discovered that curl incorrectly reused existing
HTTP proxy connections even if the request used different credentials. This
could result in the use of incorrect credentials, contrary to expectations.
(CVE-2026-3784)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
curl 7.68.0-1ubuntu2.25+esm3
Available with Ubuntu Pro
libcurl3-gnutls 7.68.0-1ubuntu2.25+esm3
Available with Ubuntu Pro
libcurl3-nss 7.68.0-1ubuntu2.25+esm3
Available with Ubuntu Pro
libcurl4 7.68.0-1ubuntu2.25+esm3
Available with Ubuntu Pro

Ubuntu 18.04 LTS
curl 7.58.0-2ubuntu3.24+esm8
Available with Ubuntu Pro
libcurl3-gnutls 7.58.0-2ubuntu3.24+esm8
Available with Ubuntu Pro
libcurl3-nss 7.58.0-2ubuntu3.24+esm8
Available with Ubuntu Pro
libcurl4 7.58.0-2ubuntu3.24+esm8
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8099-1
CVE-2026-1965, CVE-2026-3783, CVE-2026-3784

--===============7198651016756523434==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :