JLSEC-2026-429

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-429.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-429.json

JSON Data

https://api.test.osv.dev/v1/vulns/JLSEC-2026-429

Upstream

CVE-2025-14819

EUVD-2026-1566

GHSA-vqhr-m87q-9jqh

Published

2026-05-04T13:12:06.605Z

Modified

2026-05-04T13:32:22.737356866Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

When doing TLS related transfers with reused easy or multi handles and altering the ...

Details

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "published": "2026-01-08T10:15:46.730Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-14819",
            "database_specific": {
                "status": "Analyzed"
            },
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14819",
            "id": "CVE-2025-14819",
            "modified": "2026-01-20T14:51:26.263Z",
            "imported": "2026-05-02T08:39:50.022Z"
        },
        {
            "html_url": "https://github.com/advisories/GHSA-vqhr-m87q-9jqh",
            "imported": "2026-05-02T08:42:42.532Z",
            "id": "GHSA-vqhr-m87q-9jqh",
            "url": "https://api.github.com/advisories/GHSA-vqhr-m87q-9jqh",
            "modified": "2026-01-08T15:32:29Z",
            "published": "2026-01-08T12:30:29Z"
        },
        {
            "imported": "2026-05-02T08:41:04.784Z",
            "published": "2026-01-08T10:07:54Z",
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-1566",
            "id": "EUVD-2026-1566",
            "modified": "2026-01-08T15:02:04Z",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-1566"
        }
    ]
}

References

Affected packages

Julia / CURL_jll

Package

Name: CURL_jll
Purl: pkg:julia/CURL_jll?uuid=b21e61f3-bafc-59ac-ab14-4c5c62d6588d

Affected ranges

Type: SEMVER
Events: Introduced

8.5.0+0

Fixed

8.20.0+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-429.json"

Julia / LibCURL_jll

Package

Name: LibCURL_jll
Purl: pkg:julia/LibCURL_jll?uuid=deac9b47-8bc7-5906-a0fe-35ac56dc84c0

Affected ranges

Type: SEMVER
Events: Introduced

7.87.0+0

Fixed

8.18.0+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-429.json"