Critical curl Vulnerabilities Expose TLS, Auth, and Cookie Handling Flaws
Ubuntu security advisory USN-8487-1 addresses four significant vulnerabilities in curl affecting connection reuse, authentication, and cookie parsing. Organizations using curl across multiple Ubuntu LTS versions should prioritize patching to prevent credential theft and TLS configuration bypass attacks.
TL;DR
- curl reuses live connections during STARTTLS upgrades without validating TLS configuration match, allowing attackers to force unintended encryption settings
- Negotiate authentication connections are incorrectly reused across different services, enabling cross-service credential theft
- Cookie parsing flaws permit attackers to inject cookies destined for unrelated third-party domains
- GSASL context double-free vulnerability in SASL authentication can trigger memory corruption and denial of service
Canonical released security notice USN-8487-1 addressing four distinct vulnerabilities in curl, the widely-deployed command-line HTTP client and library. These flaws span critical security domains: transport layer configuration validation, authentication context isolation, session cookie handling, and memory safety in SASL authentication flows.
The vulnerabilities affect multiple Ubuntu LTS versions including 18.04, 20.04, 22.04, 24.04, and newer releases. Organizations relying on curl for API integrations, automation, or embedded HTTP functionality should treat these patches as high-priority, particularly those handling sensitive authentication or operating in multi-tenant environments.
Connection Reuse and TLS Configuration Bypass
- CVE-2026-8286: curl reuses existing live connections during STARTTLS-based upgrades without verifying TLS configuration compatibility
- Attackers can force curl to apply unintended TLS settings by manipulating connection reuse logic
- Impacts encrypted communication integrity when STARTTLS negotiation occurs on pooled connections
Authentication Context Isolation Failures
- CVE-2026-8458: Negotiate-authenticated connections are incorrectly reused when different services are accessed
- Enables credential leakage across service boundaries, allowing attackers to access resources authenticated for another service
- Affects Ubuntu 18.04 LTS through 26.04 LTS; particularly dangerous in microservice and multi-API environments
Cookie Parsing and Domain Injection
- CVE-2026-8924: Improper cookie parsing allows remote attackers to inject cookies destined for unrelated third-party domains
- Cookies set by attacker-controlled responses can be transmitted to legitimate third-party sites, enabling session hijacking or tracking
- Affects Ubuntu 16.04 LTS and later; impacts any curl usage with automatic cookie jar handling
SASL Authentication Memory Safety
- Double-free vulnerability in GSASL context handling during SASL authentication flows
- Can trigger memory corruption, crash, or potential code execution in applications using curl with SASL
- Requires immediate patching for deployments using SASL-based authentication mechanisms
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.