1. Ubuntu Security Notices
  2. USN-8099-1

USN-8099-1: curl vulnerabilities

Publication date

16 March 2026

Overview

Several security issues were fixed in curl.

Releases

Packages

  • curl - HTTP, HTTPS, and FTP client and client libraries

Details

Zhicheng Chen discovered that curl could incorrectly reuse the wrong
connection for Negotiate-authenticated HTTP or HTTPS requests. This could
result in the use of credentials from a different connection, contrary to
expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965)

It was discovered that curl incorrectly leaked OAuth2 bearer tokens when
following a redirect. This could result in tokens being sent to the wrong
host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS.
(CVE-2026-3783)

Muhamad Arga Reksapati discovered that curl incorrectly reused existing
HTTP proxy connections even if the request used different credentials. This
could result in the use of incorrect credentials, contrary to expectations.
(CVE-2026-3784)

Zhicheng Chen discovered that curl could incorrectly reuse the wrong
connection for Negotiate-authenticated HTTP or HTTPS requests. This could
result in the use of credentials from a different connection, contrary to
expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965)

It was discovered that curl incorrectly leaked OAuth2 bearer tokens when
following a redirect. This could result in tokens being sent to the wrong
host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS.
(CVE-2026-3783)

Muhamad Arga Reksapati discovered that curl incorrectly reused existing
HTTP proxy connections even if the request used different credentials. This
could result in the use of incorrect credentials, contrary to expectations.
(CVE-2026-3784)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
20.04 LTS focal curl –  7.68.0-1ubuntu2.25+esm3  
libcurl3-gnutls –  7.68.0-1ubuntu2.25+esm3  
libcurl3-nss –  7.68.0-1ubuntu2.25+esm3  
libcurl4 –  7.68.0-1ubuntu2.25+esm3  
18.04 LTS bionic curl –  7.58.0-2ubuntu3.24+esm8  
libcurl3-gnutls –  7.58.0-2ubuntu3.24+esm8  
libcurl3-nss –  7.58.0-2ubuntu3.24+esm8  
libcurl4 –  7.58.0-2ubuntu3.24+esm8  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›