Alerts This Week
Warning Icon 1 537
Alerts This Week
Warning Icon 1 537

Ubuntu 25.10 curl Important Credential Leak DoS Vuln 8084-1

Calendar Mar 11, 2026 User Avatar LinuxSecurity Advisories
2 - 3 min read
Ubuntu Large Esm H500
Topics%20covered

Topics Covered

security advisory DoS Ubuntu important curl credential leak
Several security issues were fixed in curl. 
==========================================================================
Ubuntu Security Notice USN-8084-1
March 11, 2026

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Zhicheng Chen discovered that curl could incorrectly reuse the wrong
connection for Negotiate-authenticated HTTP or HTTPS requests. This could
result in the use of credentials from a different connection, contrary to
expectations. (CVE-2026-1965)

It was discovered that curl incorrectly leaked OAuth2 bearer tokens when
following a redirect. This could result in tokens being sent to the wrong
host, contrary to expectations. (CVE-2026-3783)

Muhamad Arga Reksapati discovered that curl incorrectly reused existing
HTTP proxy connections even if the request used different credentials. This
could result in the use of incorrect credentials, contrary to expectations.
(CVE-2026-3784)

Daniel Wade discovered that curl incorrectly handled certain memory
operations when doing a second SMB request to the same host. An attacker
could use this issue to cause curl to crash, resulting in a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 25.10. (CVE-2026-3805)

Yihang Zhou discovered that curl incorrectly reused .netrc file credentials
when following redirects. This could result in the use of credentials for
a different host, contrary to expectations. This issue only affected Ubuntu
22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-0167)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  curl                            8.14.1-2ubuntu1.2
  libcurl3t64-gnutls              8.14.1-2ubuntu1.2
  libcurl4t64                     8.14.1-2ubuntu1.2

Ubuntu 24.04 LTS
  curl                            8.5.0-2ubuntu10.8
  libcurl3t64-gnutls              8.5.0-2ubuntu10.8
  libcurl4t64                     8.5.0-2ubuntu10.8

Ubuntu 22.04 LTS
  curl                            7.81.0-1ubuntu1.23
  libcurl3-gnutls                 7.81.0-1ubuntu1.23
  libcurl3-nss                    7.81.0-1ubuntu1.23
  libcurl4                        7.81.0-1ubuntu1.23

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8084-1
  CVE-2025-0167, CVE-2026-1965, CVE-2026-3783, CVE-2026-3784,
  CVE-2026-3805

Package Information:
  https://launchpad.net/ubuntu/+source/curl/8.14.1-2ubuntu1.2
  https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.8
  https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.23

Ubuntu 25.10 curl Important Credential Leak DoS Vuln 8084-1

ubuntu
Calendar Grey March 11, 2026
Dist Ubuntu Esm H88
Multiple security fixes for curl in Ubuntu prevent credential leaks and enhance protection against denial of service attacks.
Several security issues were fixed in curl.

Summary

A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in curl. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784) Daniel Wade discovered that curl incorre...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory DoS Ubuntu important curl credential leak

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 curl 8.14.1-2ubuntu1.2 libcurl3t64-gnutls 8.14.1-2ubuntu1.2 libcurl4t64 8.14.1-2ubuntu1.2 Ubuntu 24.04 LTS curl 8.5.0-2ubuntu10.8 libcurl3t64-gnutls 8.5.0-2ubuntu10.8 libcurl4t64 8.5.0-2ubuntu10.8 Ubuntu 22.04 LTS curl 7.81.0-1ubuntu1.23 libcurl3-gnutls 7.81.0-1ubuntu1.23 libcurl3-nss 7.81.0-1ubuntu1.23 libcurl4 7.81.0-1ubuntu1.23 In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-8084-1

CVE-2025-0167, CVE-2026-1965, CVE-2026-3783, CVE-2026-3784,

CVE-2026-3805

Severity
important
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-8084-1

Topics%20covered

Topics Covered

security advisory DoS Ubuntu important curl credential leak

Package Information

https://launchpad.net/ubuntu/+source/curl/8.14.1-2ubuntu1.2 https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.8 https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.23

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here