CVE-2026-8458

Publication date 24 June 2026

Last updated 2 July 2026


Ubuntu priority

Description

libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different "services". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.

Why is this CVE low priority?

Upstream defined this as low severity

Learn more about Ubuntu priority

Status

Package Ubuntu Release Status
curl 26.04 LTS resolute
Fixed 8.18.0-1ubuntu2.2
25.10 questing
Fixed 8.14.1-2ubuntu1.4
24.04 LTS noble
Fixed 8.5.0-2ubuntu10.10
22.04 LTS jammy
Fixed 7.81.0-1ubuntu1.25
20.04 LTS focal
Fixed 7.68.0-1ubuntu2.25+esm4
18.04 LTS bionic
Fixed 7.58.0-2ubuntu3.24+esm9
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
curl

References

Related Ubuntu Security Notices (USN)

Other references


Access our resources on patching vulnerabilities