USN-8099-1
- Source
- https://ubuntu.com/security/notices/USN-8099-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8099-1.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/USN-8099-1
- Upstream
- Related
- Published
- 2026-03-16T17:35:41Z
- Modified
- 2026-03-17T09:14:11.915220Z
- Summary
- curl vulnerabilities
- Details
-
Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965)
It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-3783)
Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784)
- References
Affected packages
Ubuntu:Pro:18.04:LTS / curl
Package
- Name
- curl
- Purl
- pkg:deb/ubuntu/curl@7.58.0-2ubuntu3.24+esm8?arch=source&distro=esm-infra/bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.58.0-2ubuntu3.24+esm8
Affected versions
7.*
7.55.1-1ubuntu2
7.55.1-1ubuntu2.1
7.57.0-1ubuntu1
7.58.0-2ubuntu1
7.58.0-2ubuntu2
7.58.0-2ubuntu3
7.58.0-2ubuntu3.1
7.58.0-2ubuntu3.2
7.58.0-2ubuntu3.3
7.58.0-2ubuntu3.5
7.58.0-2ubuntu3.6
7.58.0-2ubuntu3.7
7.58.0-2ubuntu3.8
7.58.0-2ubuntu3.9
7.58.0-2ubuntu3.10
7.58.0-2ubuntu3.12
7.58.0-2ubuntu3.13
7.58.0-2ubuntu3.14
7.58.0-2ubuntu3.15
7.58.0-2ubuntu3.16
7.58.0-2ubuntu3.17
7.58.0-2ubuntu3.18
7.58.0-2ubuntu3.19
7.58.0-2ubuntu3.20
7.58.0-2ubuntu3.21
7.58.0-2ubuntu3.22
7.58.0-2ubuntu3.23
7.58.0-2ubuntu3.24
7.58.0-2ubuntu3.24+esm1
7.58.0-2ubuntu3.24+esm2
7.58.0-2ubuntu3.24+esm3
7.58.0-2ubuntu3.24+esm4
7.58.0-2ubuntu3.24+esm5
7.58.0-2ubuntu3.24+esm7
Ecosystem specific
{
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_version": "7.58.0-2ubuntu3.24+esm8",
"binary_name": "curl"
},
{
"binary_version": "7.58.0-2ubuntu3.24+esm8",
"binary_name": "libcurl3-gnutls"
},
{
"binary_version": "7.58.0-2ubuntu3.24+esm8",
"binary_name": "libcurl3-nss"
},
{
"binary_version": "7.58.0-2ubuntu3.24+esm8",
"binary_name": "libcurl4"
},
{
"binary_version": "7.58.0-2ubuntu3.24+esm8",
"binary_name": "libcurl4-gnutls-dev"
},
{
"binary_version": "7.58.0-2ubuntu3.24+esm8",
"binary_name": "libcurl4-nss-dev"
},
{
"binary_version": "7.58.0-2ubuntu3.24+esm8",
"binary_name": "libcurl4-openssl-dev"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-3784",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8099-1.json"
Ubuntu:Pro:20.04:LTS / curl
Package
- Name
- curl
- Purl
- pkg:deb/ubuntu/curl@7.68.0-1ubuntu2.25+esm3?arch=source&distro=esm-infra/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.68.0-1ubuntu2.25+esm3
Affected versions
7.*
7.65.3-1ubuntu3
7.65.3-1ubuntu4
7.66.0-1ubuntu1
7.67.0-2ubuntu1
7.68.0-1ubuntu1
7.68.0-1ubuntu2
7.68.0-1ubuntu2.1
7.68.0-1ubuntu2.2
7.68.0-1ubuntu2.4
7.68.0-1ubuntu2.5
7.68.0-1ubuntu2.6
7.68.0-1ubuntu2.7
7.68.0-1ubuntu2.10
7.68.0-1ubuntu2.11
7.68.0-1ubuntu2.12
7.68.0-1ubuntu2.13
7.68.0-1ubuntu2.14
7.68.0-1ubuntu2.15
7.68.0-1ubuntu2.16
7.68.0-1ubuntu2.18
7.68.0-1ubuntu2.19
7.68.0-1ubuntu2.20
7.68.0-1ubuntu2.21
7.68.0-1ubuntu2.22
7.68.0-1ubuntu2.23
7.68.0-1ubuntu2.24
7.68.0-1ubuntu2.25
7.68.0-1ubuntu2.25+esm2
Ecosystem specific
{
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_version": "7.68.0-1ubuntu2.25+esm3",
"binary_name": "curl"
},
{
"binary_version": "7.68.0-1ubuntu2.25+esm3",
"binary_name": "libcurl3-gnutls"
},
{
"binary_version": "7.68.0-1ubuntu2.25+esm3",
"binary_name": "libcurl3-nss"
},
{
"binary_version": "7.68.0-1ubuntu2.25+esm3",
"binary_name": "libcurl4"
},
{
"binary_version": "7.68.0-1ubuntu2.25+esm3",
"binary_name": "libcurl4-gnutls-dev"
},
{
"binary_version": "7.68.0-1ubuntu2.25+esm3",
"binary_name": "libcurl4-nss-dev"
},
{
"binary_version": "7.68.0-1ubuntu2.25+esm3",
"binary_name": "libcurl4-openssl-dev"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-1965",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-3783",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-3784",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8099-1.json"