CVE-2026-8458
Publication date 24 June 2026
Last updated 2 July 2026
Ubuntu priority
Description
libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different "services". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
Why is this CVE low priority?
Upstream defined this as low severity
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| curl | 26.04 LTS resolute |
Fixed 8.18.0-1ubuntu2.2
|
| 25.10 questing |
Fixed 8.14.1-2ubuntu1.4
|
|
| 24.04 LTS noble |
Fixed 8.5.0-2ubuntu10.10
|
|
| 22.04 LTS jammy |
Fixed 7.81.0-1ubuntu1.25
|
|
| 20.04 LTS focal |
Fixed 7.68.0-1ubuntu2.25+esm4
|
|
| 18.04 LTS bionic |
Fixed 7.58.0-2ubuntu3.24+esm9
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialReferences
Related Ubuntu Security Notices (USN)
- USN-8487-1
- curl vulnerabilities
- 30 June 2026