USN-8084-1
- Source
- https://ubuntu.com/security/notices/USN-8084-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8084-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-8084-1
- Upstream
- Related
- Published
- 2026-03-11T12:11:15Z
- Modified
- 2026-03-14T09:31:06.022463381Z
- Summary
- curl vulnerabilities
- Details
-
Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965)
It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783)
Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784)
Daniel Wade discovered that curl incorrectly handled certain memory operations when doing a second SMB request to the same host. An attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 25.10. (CVE-2026-3805)
Yihang Zhou discovered that curl incorrectly reused .netrc file credentials when following redirects. This could result in the use of credentials for a different host, contrary to expectations. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-0167)
- References
Affected packages
Ubuntu:22.04:LTS / curl
Package
- Name
- curl
- Purl
- pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.23?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.81.0-1ubuntu1.23
Affected versions
7.*
7.74.0-1.3ubuntu2
7.74.0-1.3ubuntu3
7.80.0-3
7.81.0-1
7.81.0-1ubuntu1.1
7.81.0-1ubuntu1.2
7.81.0-1ubuntu1.3
7.81.0-1ubuntu1.4
7.81.0-1ubuntu1.6
7.81.0-1ubuntu1.7
7.81.0-1ubuntu1.8
7.81.0-1ubuntu1.10
7.81.0-1ubuntu1.11
7.81.0-1ubuntu1.13
7.81.0-1ubuntu1.14
7.81.0-1ubuntu1.15
7.81.0-1ubuntu1.16
7.81.0-1ubuntu1.17
7.81.0-1ubuntu1.18
7.81.0-1ubuntu1.19
7.81.0-1ubuntu1.20
7.81.0-1ubuntu1.21
7.81.0-1ubuntu1.22
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "curl",
"binary_version": "7.81.0-1ubuntu1.23"
},
{
"binary_version": "7.81.0-1ubuntu1.23",
"binary_name": "libcurl3-gnutls"
},
{
"binary_version": "7.81.0-1ubuntu1.23",
"binary_name": "libcurl3-nss"
},
{
"binary_name": "libcurl4",
"binary_version": "7.81.0-1ubuntu1.23"
},
{
"binary_name": "libcurl4-gnutls-dev",
"binary_version": "7.81.0-1ubuntu1.23"
},
{
"binary_version": "7.81.0-1ubuntu1.23",
"binary_name": "libcurl4-nss-dev"
},
{
"binary_name": "libcurl4-openssl-dev",
"binary_version": "7.81.0-1ubuntu1.23"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2025-0167",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-1965",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-3783",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-3784",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8084-1.json"
Ubuntu:24.04:LTS / curl
Package
- Name
- curl
- Purl
- pkg:deb/ubuntu/curl@8.5.0-2ubuntu10.8?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.5.0-2ubuntu10.8
Affected versions
8.*
8.2.1-1ubuntu3
8.2.1-1ubuntu3.1
8.4.0-2ubuntu1
8.5.0-2ubuntu1
8.5.0-2ubuntu2
8.5.0-2ubuntu8
8.5.0-2ubuntu9
8.5.0-2ubuntu10
8.5.0-2ubuntu10.1
8.5.0-2ubuntu10.2
8.5.0-2ubuntu10.3
8.5.0-2ubuntu10.4
8.5.0-2ubuntu10.5
8.5.0-2ubuntu10.6
8.5.0-2ubuntu10.7
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "curl",
"binary_version": "8.5.0-2ubuntu10.8"
},
{
"binary_name": "libcurl3t64-gnutls",
"binary_version": "8.5.0-2ubuntu10.8"
},
{
"binary_version": "8.5.0-2ubuntu10.8",
"binary_name": "libcurl4-gnutls-dev"
},
{
"binary_name": "libcurl4-openssl-dev",
"binary_version": "8.5.0-2ubuntu10.8"
},
{
"binary_name": "libcurl4t64",
"binary_version": "8.5.0-2ubuntu10.8"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2025-0167",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-1965",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-3783",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-3784",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8084-1.json"
Ubuntu:25.10 / curl
Package
- Name
- curl
- Purl
- pkg:deb/ubuntu/curl@8.14.1-2ubuntu1.2?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.14.1-2ubuntu1.2
Affected versions
8.*
8.12.1-3ubuntu1
8.13.0-5ubuntu1
8.14.1-1ubuntu2
8.14.1-1ubuntu3
8.14.1-2ubuntu1
8.14.1-2ubuntu1.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "curl",
"binary_version": "8.14.1-2ubuntu1.2"
},
{
"binary_name": "libcurl3t64-gnutls",
"binary_version": "8.14.1-2ubuntu1.2"
},
{
"binary_version": "8.14.1-2ubuntu1.2",
"binary_name": "libcurl4-gnutls-dev"
},
{
"binary_name": "libcurl4-openssl-dev",
"binary_version": "8.14.1-2ubuntu1.2"
},
{
"binary_name": "libcurl4t64",
"binary_version": "8.14.1-2ubuntu1.2"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-1965",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-3783",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-3784",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-3805",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8084-1.json"