UBUNTU-CVE-2026-8932

Source
https://ubuntu.com/security/CVE-2026-8932
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-8932
Upstream
  • CVE-2026-8932
Published
2026-06-24T14:00:00Z
Modified
2026-07-01T03:39:51.032936549Z
Severity
  • Ubuntu - low
Summary
[none]
Details

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

References

Affected packages

Ubuntu:22.04:LTS
curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.74.0-1.3ubuntu2
7.74.0-1.3ubuntu3
7.80.0-3
7.81.0-1
7.81.0-1ubuntu1.1
7.81.0-1ubuntu1.2
7.81.0-1ubuntu1.3
7.81.0-1ubuntu1.4
7.81.0-1ubuntu1.6
7.81.0-1ubuntu1.7
7.81.0-1ubuntu1.8
7.81.0-1ubuntu1.10
7.81.0-1ubuntu1.11
7.81.0-1ubuntu1.13
7.81.0-1ubuntu1.14
7.81.0-1ubuntu1.15
7.81.0-1ubuntu1.16
7.81.0-1ubuntu1.17
7.81.0-1ubuntu1.18
7.81.0-1ubuntu1.19
7.81.0-1ubuntu1.20
7.81.0-1ubuntu1.21
7.81.0-1ubuntu1.22
7.81.0-1ubuntu1.23
7.81.0-1ubuntu1.24
7.81.0-1ubuntu1.25

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "7.81.0-1ubuntu1.25"
        },
        {
            "binary_name": "libcurl3-gnutls",
            "binary_version": "7.81.0-1ubuntu1.25"
        },
        {
            "binary_name": "libcurl3-nss",
            "binary_version": "7.81.0-1ubuntu1.25"
        },
        {
            "binary_name": "libcurl4",
            "binary_version": "7.81.0-1ubuntu1.25"
        }
    ],
    "priority_reason": "Upstream defined this as low severity"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json"
Ubuntu:24.04:LTS
curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.2.1-1ubuntu3
8.2.1-1ubuntu3.1
8.4.0-2ubuntu1
8.5.0-2ubuntu1
8.5.0-2ubuntu2
8.5.0-2ubuntu8
8.5.0-2ubuntu9
8.5.0-2ubuntu10
8.5.0-2ubuntu10.1
8.5.0-2ubuntu10.2
8.5.0-2ubuntu10.3
8.5.0-2ubuntu10.4
8.5.0-2ubuntu10.5
8.5.0-2ubuntu10.6
8.5.0-2ubuntu10.7
8.5.0-2ubuntu10.8
8.5.0-2ubuntu10.9
8.5.0-2ubuntu10.10

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "8.5.0-2ubuntu10.10"
        },
        {
            "binary_name": "libcurl3t64-gnutls",
            "binary_version": "8.5.0-2ubuntu10.10"
        },
        {
            "binary_name": "libcurl4t64",
            "binary_version": "8.5.0-2ubuntu10.10"
        }
    ],
    "priority_reason": "Upstream defined this as low severity"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json"
Ubuntu:25.10
curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.12.1-3ubuntu1
8.13.0-5ubuntu1
8.14.1-1ubuntu2
8.14.1-1ubuntu3
8.14.1-2ubuntu1
8.14.1-2ubuntu1.1
8.14.1-2ubuntu1.2
8.14.1-2ubuntu1.3
8.14.1-2ubuntu1.4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "8.14.1-2ubuntu1.4"
        },
        {
            "binary_name": "libcurl3t64-gnutls",
            "binary_version": "8.14.1-2ubuntu1.4"
        },
        {
            "binary_name": "libcurl4t64",
            "binary_version": "8.14.1-2ubuntu1.4"
        }
    ],
    "priority_reason": "Upstream defined this as low severity"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json"
Ubuntu:26.04:LTS
curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.14.1-2ubuntu1
8.17.0-1ubuntu1
8.18.0-1ubuntu1
8.18.0-1ubuntu2
8.18.0-1ubuntu2.1
8.18.0-1ubuntu2.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "8.18.0-1ubuntu2.2"
        },
        {
            "binary_name": "libcurl3t64-gnutls",
            "binary_version": "8.18.0-1ubuntu2.2"
        },
        {
            "binary_name": "libcurl4t64",
            "binary_version": "8.18.0-1ubuntu2.2"
        }
    ],
    "priority_reason": "Upstream defined this as low severity"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json"
Ubuntu:Pro:14.04:LTS
curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.32.0-1ubuntu1
7.33.0-1ubuntu1
7.34.0-1ubuntu1
7.35.0-1ubuntu1
7.35.0-1ubuntu2
7.35.0-1ubuntu2.1
7.35.0-1ubuntu2.2
7.35.0-1ubuntu2.3
7.35.0-1ubuntu2.5
7.35.0-1ubuntu2.6
7.35.0-1ubuntu2.7
7.35.0-1ubuntu2.8
7.35.0-1ubuntu2.9
7.35.0-1ubuntu2.10
7.35.0-1ubuntu2.11
7.35.0-1ubuntu2.12
7.35.0-1ubuntu2.13
7.35.0-1ubuntu2.14
7.35.0-1ubuntu2.15
7.35.0-1ubuntu2.16
7.35.0-1ubuntu2.17
7.35.0-1ubuntu2.19
7.35.0-1ubuntu2.20
7.35.0-1ubuntu2.20+esm2
7.35.0-1ubuntu2.20+esm3
7.35.0-1ubuntu2.20+esm4
7.35.0-1ubuntu2.20+esm5
7.35.0-1ubuntu2.20+esm6
7.35.0-1ubuntu2.20+esm7
7.35.0-1ubuntu2.20+esm8
7.35.0-1ubuntu2.20+esm9
7.35.0-1ubuntu2.20+esm10
7.35.0-1ubuntu2.20+esm11
7.35.0-1ubuntu2.20+esm12
7.35.0-1ubuntu2.20+esm13
7.35.0-1ubuntu2.20+esm14
7.35.0-1ubuntu2.20+esm15
7.35.0-1ubuntu2.20+esm16
7.35.0-1ubuntu2.20+esm17
7.35.0-1ubuntu2.20+esm18
7.35.0-1ubuntu2.20+esm19
7.35.0-1ubuntu2.20+esm20

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "7.35.0-1ubuntu2.20+esm20"
        },
        {
            "binary_name": "libcurl3",
            "binary_version": "7.35.0-1ubuntu2.20+esm20"
        },
        {
            "binary_name": "libcurl3-gnutls",
            "binary_version": "7.35.0-1ubuntu2.20+esm20"
        },
        {
            "binary_name": "libcurl3-nss",
            "binary_version": "7.35.0-1ubuntu2.20+esm20"
        }
    ],
    "priority_reason": "Upstream defined this as low severity"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json"
Ubuntu:Pro:16.04:LTS
curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=esm-infra-legacy%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.43.0-1ubuntu2
7.45.0-1ubuntu1
7.46.0-1ubuntu1
7.47.0-1ubuntu1
7.47.0-1ubuntu2
7.47.0-1ubuntu2.1
7.47.0-1ubuntu2.2
7.47.0-1ubuntu2.3
7.47.0-1ubuntu2.4
7.47.0-1ubuntu2.5
7.47.0-1ubuntu2.6
7.47.0-1ubuntu2.7
7.47.0-1ubuntu2.8
7.47.0-1ubuntu2.9
7.47.0-1ubuntu2.11
7.47.0-1ubuntu2.12
7.47.0-1ubuntu2.13
7.47.0-1ubuntu2.14
7.47.0-1ubuntu2.15
7.47.0-1ubuntu2.16
7.47.0-1ubuntu2.18
7.47.0-1ubuntu2.19
7.47.0-1ubuntu2.19+esm1
7.47.0-1ubuntu2.19+esm2
7.47.0-1ubuntu2.19+esm3
7.47.0-1ubuntu2.19+esm4
7.47.0-1ubuntu2.19+esm5
7.47.0-1ubuntu2.19+esm6
7.47.0-1ubuntu2.19+esm7
7.47.0-1ubuntu2.19+esm8
7.47.0-1ubuntu2.19+esm9
7.47.0-1ubuntu2.19+esm10
7.47.0-1ubuntu2.19+esm11
7.47.0-1ubuntu2.19+esm12
7.47.0-1ubuntu2.19+esm13
7.47.0-1ubuntu2.19+esm15
7.47.0-1ubuntu2.19+esm16

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "7.47.0-1ubuntu2.19+esm16"
        },
        {
            "binary_name": "libcurl3",
            "binary_version": "7.47.0-1ubuntu2.19+esm16"
        },
        {
            "binary_name": "libcurl3-gnutls",
            "binary_version": "7.47.0-1ubuntu2.19+esm16"
        },
        {
            "binary_name": "libcurl3-nss",
            "binary_version": "7.47.0-1ubuntu2.19+esm16"
        }
    ],
    "priority_reason": "Upstream defined this as low severity"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json"
Ubuntu:Pro:18.04:LTS
curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.55.1-1ubuntu2
7.55.1-1ubuntu2.1
7.57.0-1ubuntu1
7.58.0-2ubuntu1
7.58.0-2ubuntu2
7.58.0-2ubuntu3
7.58.0-2ubuntu3.1
7.58.0-2ubuntu3.2
7.58.0-2ubuntu3.3
7.58.0-2ubuntu3.5
7.58.0-2ubuntu3.6
7.58.0-2ubuntu3.7
7.58.0-2ubuntu3.8
7.58.0-2ubuntu3.9
7.58.0-2ubuntu3.10
7.58.0-2ubuntu3.12
7.58.0-2ubuntu3.13
7.58.0-2ubuntu3.14
7.58.0-2ubuntu3.15
7.58.0-2ubuntu3.16
7.58.0-2ubuntu3.17
7.58.0-2ubuntu3.18
7.58.0-2ubuntu3.19
7.58.0-2ubuntu3.20
7.58.0-2ubuntu3.21
7.58.0-2ubuntu3.22
7.58.0-2ubuntu3.23
7.58.0-2ubuntu3.24
7.58.0-2ubuntu3.24+esm1
7.58.0-2ubuntu3.24+esm2
7.58.0-2ubuntu3.24+esm3
7.58.0-2ubuntu3.24+esm4
7.58.0-2ubuntu3.24+esm5
7.58.0-2ubuntu3.24+esm7
7.58.0-2ubuntu3.24+esm8
7.58.0-2ubuntu3.24+esm9

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "7.58.0-2ubuntu3.24+esm9"
        },
        {
            "binary_name": "libcurl3-gnutls",
            "binary_version": "7.58.0-2ubuntu3.24+esm9"
        },
        {
            "binary_name": "libcurl3-nss",
            "binary_version": "7.58.0-2ubuntu3.24+esm9"
        },
        {
            "binary_name": "libcurl4",
            "binary_version": "7.58.0-2ubuntu3.24+esm9"
        }
    ],
    "priority_reason": "Upstream defined this as low severity"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json"
Ubuntu:Pro:20.04:LTS
curl

Package

Name
curl
Purl
pkg:deb/ubuntu/curl?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.65.3-1ubuntu3
7.65.3-1ubuntu4
7.66.0-1ubuntu1
7.67.0-2ubuntu1
7.68.0-1ubuntu1
7.68.0-1ubuntu2
7.68.0-1ubuntu2.1
7.68.0-1ubuntu2.2
7.68.0-1ubuntu2.4
7.68.0-1ubuntu2.5
7.68.0-1ubuntu2.6
7.68.0-1ubuntu2.7
7.68.0-1ubuntu2.10
7.68.0-1ubuntu2.11
7.68.0-1ubuntu2.12
7.68.0-1ubuntu2.13
7.68.0-1ubuntu2.14
7.68.0-1ubuntu2.15
7.68.0-1ubuntu2.16
7.68.0-1ubuntu2.18
7.68.0-1ubuntu2.19
7.68.0-1ubuntu2.20
7.68.0-1ubuntu2.21
7.68.0-1ubuntu2.22
7.68.0-1ubuntu2.23
7.68.0-1ubuntu2.24
7.68.0-1ubuntu2.25
7.68.0-1ubuntu2.25+esm2
7.68.0-1ubuntu2.25+esm3
7.68.0-1ubuntu2.25+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "curl",
            "binary_version": "7.68.0-1ubuntu2.25+esm4"
        },
        {
            "binary_name": "libcurl3-gnutls",
            "binary_version": "7.68.0-1ubuntu2.25+esm4"
        },
        {
            "binary_name": "libcurl3-nss",
            "binary_version": "7.68.0-1ubuntu2.25+esm4"
        },
        {
            "binary_name": "libcurl4",
            "binary_version": "7.68.0-1ubuntu2.25+esm4"
        }
    ],
    "priority_reason": "Upstream defined this as low severity"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8932.json"