DEBIAN-CVE-2026-8932

Source
https://security-tracker.debian.org/tracker/CVE-2026-8932
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-8932.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-8932
Upstream
Published
2026-07-03T07:16:25.363Z
Modified
2026-07-07T10:00:13.909115790Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

References

Affected packages

Debian:11 / curl

Package

Name
curl
Purl
pkg:deb/debian/curl?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.74.0-1.3
7.74.0-1.3+deb11u1
7.74.0-1.3+deb11u2
7.74.0-1.3+deb11u3
7.74.0-1.3+deb11u4
7.74.0-1.3+deb11u5
7.74.0-1.3+deb11u6
7.74.0-1.3+deb11u7~bpo11+1
7.74.0-1.3+deb11u7
7.74.0-1.3+deb11u8
7.74.0-1.3+deb11u9
7.74.0-1.3+deb11u10
7.74.0-1.3+deb11u11
7.74.0-1.3+deb11u12
7.74.0-1.3+deb11u13
7.74.0-1.3+deb11u14
7.74.0-1.3+deb11u15
7.74.0-1.3+deb11u16
7.79.1-1
7.79.1-2
7.79.1-3~exp1
7.79.1-3~exp2
7.80.0-1
7.80.0-2
7.80.0-3
7.81.0-1~bpo11+1
7.81.0-1
7.82.0-1
7.82.0-2~bpo11+1
7.82.0-2
7.83.0-1
7.83.1-1
7.83.1-2
7.84.0-1
7.84.0-2~bpo11+1
7.84.0-2
7.85.0-1~bpo11+1
7.85.0-1
7.86.0-1
7.86.0-2
7.86.0-3
7.87.0-1~bpo11+1
7.87.0-1
7.87.0-2~bpo11+1
7.87.0-2
7.88.1-1~bpo11+1
7.88.1-1
7.88.1-2~exp1
7.88.1-2~exp2
7.88.1-2~exp3
7.88.1-2~exp4
7.88.1-2
7.88.1-3
7.88.1-4
7.88.1-5
7.88.1-6
7.88.1-7~bpo11+1
7.88.1-7~bpo11+2
7.88.1-7~exp1
7.88.1-7
7.88.1-8~exp1
7.88.1-8
7.88.1-9
7.88.1-10
7.88.1-11
8.*
8.0.1-1~exp1
8.2.1-1
8.2.1-2~bpo12+1
8.2.1-2
8.3.0-1
8.3.0-2~bpo12+1
8.3.0-2~exp1
8.3.0-2
8.3.0-3
8.4.0-1
8.4.0-2~bpo12+1
8.4.0-2
8.5.0-1
8.5.0-1+exp1
8.5.0-2~bpo12+1
8.5.0-2
8.5.0-2+exp1
8.6.0-1
8.6.0-1.1
8.6.0-2
8.6.0-3
8.6.0-3.1~exp1
8.6.0-3.1~exp2
8.6.0-3.1
8.6.0-3.2
8.6.0-4
8.7.1-1
8.7.1-1+exp1
8.7.1-2
8.7.1-3
8.7.1-4
8.7.1-5~bpo12+1
8.7.1-5
8.7.1-5+exp1
8.8.0-1~bpo12+1
8.8.0-1
8.8.0-1+exp1
8.8.0-1+exp2
8.8.0-2
8.8.0-3
8.8.0-4
8.9.0-1
8.9.0-2
8.9.0-3
8.9.1-1
8.9.1-2~bpo12+1
8.9.1-2
8.10.0-1
8.10.0-2
8.10.1-1~bpo12+1
8.10.1-1
8.10.1-2
8.11.0-1
8.11.1-1~bpo12+1
8.11.1-1
8.12.0+git20250209.89ed161+ds-1~bpo12+1
8.12.0+git20250209.89ed161+ds-1
8.12.1-1
8.12.1-2~bpo12+1
8.12.1-2
8.12.1-3~bpo12+1
8.12.1-3
8.13.0~rc-1~exp1
8.13.0~rc-1~exp2
8.13.0~rc2-1
8.13.0~rc2-2
8.13.0~rc3-1
8.13.0~rc3-1+exp1
8.13.0-1
8.13.0-1+exp1
8.13.0-2
8.13.0-2+exp1
8.13.0-3
8.13.0-4
8.13.0-4+exp1
8.13.0-5~bpo12+1
8.13.0-5
8.13.0-5+exp1
8.14.0~rc1-1+exp1
8.14.0~rc2-1+exp1
8.14.0~rc3-1+exp1
8.14.0-1
8.14.0-1+exp1
8.14.1-1~bpo12+1
8.14.1-1
8.14.1-2~bpo12+1
8.14.1-2
8.14.1-2+exp1
8.15.0~rc1-1exp1
8.15.0~rc2-1~exp1
8.15.0~rc3-1~exp1
8.15.0-1~bpo13+1
8.15.0-1~exp1
8.15.0-1
8.16.0~rc1-1~exp1
8.16.0~rc2-1
8.16.0~rc2-2
8.16.0~rc3-1
8.16.0-1~bpo13+1
8.16.0-1
8.16.0-1+exp1
8.16.0-2
8.16.0-3
8.16.0-4~bpo13+1
8.16.0-4
8.17.0~rc1-1~exp1
8.17.0~rc2-1
8.17.0~rc3-1
8.17.0-1
8.17.0-2
8.17.0-3
8.18.0~rc1-1+exp1
8.18.0~rc2-1
8.18.0~rc3-1
8.18.0-1~bpo13+1
8.18.0-1
8.18.0-2
8.19.0~rc1-1~exp1
8.19.0~rc2-1
8.19.0~rc2-2
8.19.0~rc3-1
8.19.0-1~bpo13+1
8.19.0-1
8.19.0-1+exp1
8.19.0-2
8.19.0-3
8.19.0-3+exp1
8.19.0-3+exp2
8.20.0~rc1-1+exp1
8.20.0~rc1-1+exp2
8.20.0~rc1-1+exp3
8.20.0~rc2-1
8.20.0~rc2-1+exp1
8.20.0~rc3-1
8.20.0~rc3-1+exp1
8.20.0-1
8.20.0-1+exp
8.20.0-2~bpo13+1
8.20.0-2
8.20.0-2+exp1
8.20.0-3
8.20.0-4
8.20.0-5~bpo13+1
8.20.0-5
8.21.0~rc1-1+exp1
8.21.0~rc2-1
8.21.0~rc2-1+exp1
8.21.0~rc3-1
8.21.0~rc3-1+exp1
8.21.0-1
8.21.0-1+exp1
8.21.0-2
8.21.0-2+exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-8932.json"

Debian:12 / curl

Package

Name
curl
Purl
pkg:deb/debian/curl?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.88.1-10
7.88.1-10+deb12u1~bpo11+1
7.88.1-10+deb12u1
7.88.1-10+deb12u2
7.88.1-10+deb12u3~bpo11+1
7.88.1-10+deb12u3
7.88.1-10+deb12u4
7.88.1-10+deb12u5~bpo11+1
7.88.1-10+deb12u5
7.88.1-10+deb12u6~bpo11+1
7.88.1-10+deb12u6
7.88.1-10+deb12u7
7.88.1-10+deb12u8
7.88.1-10+deb12u9
7.88.1-10+deb12u11
7.88.1-10+deb12u12
7.88.1-10+deb12u13
7.88.1-10+deb12u14
7.88.1-10+deb12u15
7.88.1-11
8.*
8.0.1-1~exp1
8.2.1-1
8.2.1-2~bpo12+1
8.2.1-2
8.3.0-1
8.3.0-2~bpo12+1
8.3.0-2~exp1
8.3.0-2
8.3.0-3
8.4.0-1
8.4.0-2~bpo12+1
8.4.0-2
8.5.0-1
8.5.0-1+exp1
8.5.0-2~bpo12+1
8.5.0-2
8.5.0-2+exp1
8.6.0-1
8.6.0-1.1
8.6.0-2
8.6.0-3
8.6.0-3.1~exp1
8.6.0-3.1~exp2
8.6.0-3.1
8.6.0-3.2
8.6.0-4
8.7.1-1
8.7.1-1+exp1
8.7.1-2
8.7.1-3
8.7.1-4
8.7.1-5~bpo12+1
8.7.1-5
8.7.1-5+exp1
8.8.0-1~bpo12+1
8.8.0-1
8.8.0-1+exp1
8.8.0-1+exp2
8.8.0-2
8.8.0-3
8.8.0-4
8.9.0-1
8.9.0-2
8.9.0-3
8.9.1-1
8.9.1-2~bpo12+1
8.9.1-2
8.10.0-1
8.10.0-2
8.10.1-1~bpo12+1
8.10.1-1
8.10.1-2
8.11.0-1
8.11.1-1~bpo12+1
8.11.1-1
8.12.0+git20250209.89ed161+ds-1~bpo12+1
8.12.0+git20250209.89ed161+ds-1
8.12.1-1
8.12.1-2~bpo12+1
8.12.1-2
8.12.1-3~bpo12+1
8.12.1-3
8.13.0~rc-1~exp1
8.13.0~rc-1~exp2
8.13.0~rc2-1
8.13.0~rc2-2
8.13.0~rc3-1
8.13.0~rc3-1+exp1
8.13.0-1
8.13.0-1+exp1
8.13.0-2
8.13.0-2+exp1
8.13.0-3
8.13.0-4
8.13.0-4+exp1
8.13.0-5~bpo12+1
8.13.0-5
8.13.0-5+exp1
8.14.0~rc1-1+exp1
8.14.0~rc2-1+exp1
8.14.0~rc3-1+exp1
8.14.0-1
8.14.0-1+exp1
8.14.1-1~bpo12+1
8.14.1-1
8.14.1-2~bpo12+1
8.14.1-2
8.14.1-2+exp1
8.15.0~rc1-1exp1
8.15.0~rc2-1~exp1
8.15.0~rc3-1~exp1
8.15.0-1~bpo13+1
8.15.0-1~exp1
8.15.0-1
8.16.0~rc1-1~exp1
8.16.0~rc2-1
8.16.0~rc2-2
8.16.0~rc3-1
8.16.0-1~bpo13+1
8.16.0-1
8.16.0-1+exp1
8.16.0-2
8.16.0-3
8.16.0-4~bpo13+1
8.16.0-4
8.17.0~rc1-1~exp1
8.17.0~rc2-1
8.17.0~rc3-1
8.17.0-1
8.17.0-2
8.17.0-3
8.18.0~rc1-1+exp1
8.18.0~rc2-1
8.18.0~rc3-1
8.18.0-1~bpo13+1
8.18.0-1
8.18.0-2
8.19.0~rc1-1~exp1
8.19.0~rc2-1
8.19.0~rc2-2
8.19.0~rc3-1
8.19.0-1~bpo13+1
8.19.0-1
8.19.0-1+exp1
8.19.0-2
8.19.0-3
8.19.0-3+exp1
8.19.0-3+exp2
8.20.0~rc1-1+exp1
8.20.0~rc1-1+exp2
8.20.0~rc1-1+exp3
8.20.0~rc2-1
8.20.0~rc2-1+exp1
8.20.0~rc3-1
8.20.0~rc3-1+exp1
8.20.0-1
8.20.0-1+exp
8.20.0-2~bpo13+1
8.20.0-2
8.20.0-2+exp1
8.20.0-3
8.20.0-4
8.20.0-5~bpo13+1
8.20.0-5
8.21.0~rc1-1+exp1
8.21.0~rc2-1
8.21.0~rc2-1+exp1
8.21.0~rc3-1
8.21.0~rc3-1+exp1
8.21.0-1
8.21.0-1+exp1
8.21.0-2
8.21.0-2+exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-8932.json"

Debian:13 / curl

Package

Name
curl
Purl
pkg:deb/debian/curl?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.14.1-2
8.14.1-2+deb13u1
8.14.1-2+deb13u2~bpo13+1
8.14.1-2+deb13u2
8.14.1-2+deb13u3
8.14.1-2+deb13u4
8.14.1-2+exp1
8.15.0~rc1-1exp1
8.15.0~rc2-1~exp1
8.15.0~rc3-1~exp1
8.15.0-1~bpo13+1
8.15.0-1~exp1
8.15.0-1
8.16.0~rc1-1~exp1
8.16.0~rc2-1
8.16.0~rc2-2
8.16.0~rc3-1
8.16.0-1~bpo13+1
8.16.0-1
8.16.0-1+exp1
8.16.0-2
8.16.0-3
8.16.0-4~bpo13+1
8.16.0-4
8.17.0~rc1-1~exp1
8.17.0~rc2-1
8.17.0~rc3-1
8.17.0-1
8.17.0-2
8.17.0-3
8.18.0~rc1-1+exp1
8.18.0~rc2-1
8.18.0~rc3-1
8.18.0-1~bpo13+1
8.18.0-1
8.18.0-2
8.19.0~rc1-1~exp1
8.19.0~rc2-1
8.19.0~rc2-2
8.19.0~rc3-1
8.19.0-1~bpo13+1
8.19.0-1
8.19.0-1+exp1
8.19.0-2
8.19.0-3
8.19.0-3+exp1
8.19.0-3+exp2
8.20.0~rc1-1+exp1
8.20.0~rc1-1+exp2
8.20.0~rc1-1+exp3
8.20.0~rc2-1
8.20.0~rc2-1+exp1
8.20.0~rc3-1
8.20.0~rc3-1+exp1
8.20.0-1
8.20.0-1+exp
8.20.0-2~bpo13+1
8.20.0-2
8.20.0-2+exp1
8.20.0-3
8.20.0-4
8.20.0-5~bpo13+1
8.20.0-5
8.21.0~rc1-1+exp1
8.21.0~rc2-1
8.21.0~rc2-1+exp1
8.21.0~rc3-1
8.21.0~rc3-1+exp1
8.21.0-1
8.21.0-1+exp1
8.21.0-2
8.21.0-2+exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-8932.json"

Debian:14 / curl

Package

Name
curl
Purl
pkg:deb/debian/curl?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.14.1-2
8.14.1-2+exp1
8.15.0~rc1-1exp1
8.15.0~rc2-1~exp1
8.15.0~rc3-1~exp1
8.15.0-1~bpo13+1
8.15.0-1~exp1
8.15.0-1
8.16.0~rc1-1~exp1
8.16.0~rc2-1
8.16.0~rc2-2
8.16.0~rc3-1
8.16.0-1~bpo13+1
8.16.0-1
8.16.0-1+exp1
8.16.0-2
8.16.0-3
8.16.0-4~bpo13+1
8.16.0-4
8.17.0~rc1-1~exp1
8.17.0~rc2-1
8.17.0~rc3-1
8.17.0-1
8.17.0-2
8.17.0-3
8.18.0~rc1-1+exp1
8.18.0~rc2-1
8.18.0~rc3-1
8.18.0-1~bpo13+1
8.18.0-1
8.18.0-2
8.19.0~rc1-1~exp1
8.19.0~rc2-1
8.19.0~rc2-2
8.19.0~rc3-1
8.19.0-1~bpo13+1
8.19.0-1
8.19.0-1+exp1
8.19.0-2
8.19.0-3
8.19.0-3+exp1
8.19.0-3+exp2
8.20.0~rc1-1+exp1
8.20.0~rc1-1+exp2
8.20.0~rc1-1+exp3
8.20.0~rc2-1
8.20.0~rc2-1+exp1
8.20.0~rc3-1
8.20.0~rc3-1+exp1
8.20.0-1
8.20.0-1+exp
8.20.0-2~bpo13+1
8.20.0-2
8.20.0-2+exp1
8.20.0-3
8.20.0-4
8.20.0-5~bpo13+1
8.20.0-5
8.21.0~rc1-1+exp1
8.21.0~rc2-1
8.21.0~rc2-1+exp1
8.21.0~rc3-1
8.21.0~rc3-1+exp1
8.21.0-1
8.21.0-1+exp1
8.21.0-2
8.21.0-2+exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-8932.json"