Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Ubuntu 20.04 LTS curl Security Vulnerabilities Denial of Service USN-8062-2

Calendar Mar 03, 2026 User Avatar LinuxSecurity Advisories
2 - 4 min read
Ubuntu Large Esm H500
Topics%20covered

Topics Covered

security advisory denial of service Ubuntu important authentication curl
Several security issues were fixed in curl. 
==========================================================================
Ubuntu Security Notice USN-8062-2
March 03, 2026

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.

Original advisory details:

 It was discovered that curl incorrectly handled cookies when redirected
 from secure to insecure connections. An attacker could possibly use this
 issue to cause a denial of service, or obtain sensitive information.
 This issue only affected Ubuntu 25.10. (CVE-2025-9086)

 Calvin Ruocco discovered that curl did not properly handle WebSocket
 communications under certain circumstances. A malicious server could
 possibly use this issue to poison proxy caches with malicious content.
 This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
 (CVE-2025-10148)

 Stanislav Fort discovered that wcurl did not properly handle URLs with
 certain encoded characters. If a user were tricked into processing
 a specially crafted URL, an attacker could possibly use this issue to
 write files outside the intended directory. This issue only affected
 Ubuntu 25.10. (CVE-2025-11563)

 Stanislav Fort discovered that curl did not properly validate pinned
 public keys under certain circumstances. A remote attacker could
 possibly use this issue to perform a machine-in-the-middle attack. This
 issue only affected Ubuntu 25.10.(CVE-2025-13034)

 Stanislav Fort discovered that curl did not properly manage TLS options
 when performing LDAP over TLS transfers in multi-threaded environments.
 Under certain circumstances, certificate verification could be
 unintentionally and unknowingly disabled. (CVE-2025-14017)

 It was discovered that curl incorrectly handled Oauth2 bearer tokens
 when following redirects. A remote attacker could possibly use this
 issue to obtain authentication credentials. (CVE-2025-14524)

 Stanislav Fort discovered that curl did not properly validate TLS
 certificates when reusing connections. A remote attacker could possibly
 use this issue to bypass expected certificate verification. This issue
 only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-14819)

 Harry Sintonen discovered that curl did not properly validate SSH host
 keys when performing SSH-based file transfers. This issue could lead to
 unintended bypass of custom known_hosts file. This issue only
 affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15079)

 Harry Sintonen discovered that curl built with libssh did not properly
 handle authentication when performing SSH-based file transfers. This
 could result in unintended authentication operations. This issue only
 affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15224)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  curl                            7.68.0-1ubuntu2.25+esm2
                                  Available with Ubuntu Pro
  libcurl4                        7.68.0-1ubuntu2.25+esm2
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  curl                            7.58.0-2ubuntu3.24+esm7
                                  Available with Ubuntu Pro
  libcurl4                        7.58.0-2ubuntu3.24+esm7
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  curl                            7.47.0-1ubuntu2.19+esm15
                                  Available with Ubuntu Pro
  libcurl3                        7.47.0-1ubuntu2.19+esm15
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  curl                            7.35.0-1ubuntu2.20+esm19
                                  Available with Ubuntu Pro
  libcurl3                        7.35.0-1ubuntu2.20+esm19
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8062-2
  https://ubuntu.com/security/notices/USN-8062-1
  CVE-2025-14017, CVE-2025-15079, CVE-2025-15224

Ubuntu 20.04 LTS curl Security Vulnerabilities Denial of Service USN-8062-2

ubuntu
Calendar Grey March 3, 2026
Dist Ubuntu Esm H88
Fix multiple security issues in curl affecting various Ubuntu releases. Update recommended for better protection and security enhancement.
Several security issues were fixed in curl.

Summary

A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in curl. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: USN-8062-1 fixed vulnerabilities in curl. This update provides the corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224 for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possibly use this issue to cause a denial of service, or obtain sensitive information. This issue only affected Ubuntu 25.10. (CVE-2025-9086) Calvin Ruocco discovered that curl did not properly handle WebSocket communications under certain circumstances. A malicious server could possibly use this issue to poison p...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory denial of service Ubuntu important authentication curl

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS curl 7.68.0-1ubuntu2.25+esm2 Available with Ubuntu Pro libcurl4 7.68.0-1ubuntu2.25+esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS curl 7.58.0-2ubuntu3.24+esm7 Available with Ubuntu Pro libcurl4 7.58.0-2ubuntu3.24+esm7 Available with Ubuntu Pro Ubuntu 16.04 LTS curl 7.47.0-1ubuntu2.19+esm15 Available with Ubuntu Pro libcurl3 7.47.0-1ubuntu2.19+esm15 Available with Ubuntu Pro Ubuntu 14.04 LTS curl 7.35.0-1ubuntu2.20+esm19 Available with Ubuntu Pro libcurl3 7.35.0-1ubuntu2.20+esm19 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-8062-2

https://ubuntu.com/security/notices/USN-8062-1

CVE-2025-14017, CVE-2025-15079, CVE-2025-15224

Severity
important
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-8062-2

Topics%20covered

Topics Covered

security advisory denial of service Ubuntu important authentication curl

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here