Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Fedora 44 curl Security Advisory 2026-f13d888b0f Multiple CVEs Listed

fedora
Calendar Grey April 25, 2026
Dist Fedora Esm H88
This security advisory highlights potential risks in Fedora 44's curl, including major authentication and connection issues. Immediate action recommended.
Fix bad reuse of HTTP Negotiate connection (CVE-2026-1965) Fix token leak with redirect and netrc (CVE-2026-3783) Fix wrong proxy connection reuse with credentials (CVE-2026-3784) ...

Summary

curl is a command line tool for transferring data with URL syntax, supporting

FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,

SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP

uploading, HTTP form based upload, proxies, cookies, user+password

authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer

resume, proxy tunneling and a busload of other useful tricks.

Update Information:

Fix bad reuse of HTTP Negotiate connection (CVE-2026-1965) Fix token leak with redirect and netrc (CVE-2026-3783) Fix wrong proxy connection reuse with credentials (CVE-2026-3784) Fix use after free in SMB connection reuse (CVE-2026-3805) Fix Could not find digest algorithm UNDEF (NID 0)

Change Log

* Fri Apr 10 2026 Jan Macku - 8.18.0-6 - Fix bad reuse of HTTP Negotiate connection (CVE-2026-1965) - Fix token leak with redirect and netrc (CVE-2026-3783) - Fix wrong proxy connection reuse with credentials (CVE-2026-3784) - Fix use after free in SMB connection reuse (CVE-2026-3805) * Mon Mar 30 2026 Jan Macku - 8.18.0-5 - Fix `Could not find digest algorithm UNDEF (NID 0)` (#2438170)

References


[ 1 ] Bug #2438170 - OBJ_find_sigid_algs() returns NID_undef for ML-DSA certificate https://bugzilla.redhat.com/show_bug.cgi?id=2438170 [ 2 ] Bug #2457259 - CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-44] https://bugzilla.redhat.com/show_bug.cgi?id=2457259 [ 3 ] Bug #2457261 - CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-44] https://bugzilla.redhat.com/show_bug.cgi?id=2457261 [ 4 ] Bug #2457262 - CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-44] https://bugzilla.redhat.com/show_bug.cgi?id=2457262 [ 5 ] Bug #2457263 - CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-44] https://bugzilla.redhat.com/show_bug.cgi?id=2457263

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-f13d888b0f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: curl
Product: Fedora 44
Version: 8.18.0
Release: 6.fc44
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here