UBUNTU-CVE-2026-12064

Source
https://ubuntu.com/security/CVE-2026-12064
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12064.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-12064
Upstream
Downstream
Related
Published
2026-06-24T14:00:00Z
Modified
2026-07-11T00:15:06.070774876Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • Ubuntu - low
Summary
[none]
Details

When a user invokes curl using a schemeless URL combined with --proto-default sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPTSSHHOSTPUBLICKEYSHA256 and CURLOPTSSHKNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPTDEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

References

Affected packages

Ubuntu:25.10 / curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.14.1-2ubuntu1.5

Affected versions

8.*
8.12.1-3ubuntu1
8.13.0-5ubuntu1
8.14.1-1ubuntu2
8.14.1-1ubuntu3
8.14.1-2ubuntu1
8.14.1-2ubuntu1.1
8.14.1-2ubuntu1.2
8.14.1-2ubuntu1.3
8.14.1-2ubuntu1.4

Ecosystem specific

{
    "availability": "No subscription required",
    "priority_reason": "Upstream defined this as low severity",
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "8.14.1-2ubuntu1.5"
        },
        {
            "binary_name": "libcurl3t64-gnutls",
            "binary_version": "8.14.1-2ubuntu1.5"
        },
        {
            "binary_name": "libcurl4t64",
            "binary_version": "8.14.1-2ubuntu1.5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12064.json"

Ubuntu:26.04:LTS / curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.18.0-1ubuntu2.3

Affected versions

8.*
8.14.1-2ubuntu1
8.17.0-1ubuntu1
8.18.0-1ubuntu1
8.18.0-1ubuntu2
8.18.0-1ubuntu2.1
8.18.0-1ubuntu2.2

Ecosystem specific

{
    "availability": "No subscription required",
    "priority_reason": "Upstream defined this as low severity",
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "8.18.0-1ubuntu2.3"
        },
        {
            "binary_name": "libcurl3t64-gnutls",
            "binary_version": "8.18.0-1ubuntu2.3"
        },
        {
            "binary_name": "libcurl4t64",
            "binary_version": "8.18.0-1ubuntu2.3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12064.json"