CVE-2026-9546
Publication date 24 June 2026
Last updated 8 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppresses the header, the option failed to clear the internal state. As a result, the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.
Why is this CVE low priority?
Upstream defined this as low severity
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| curl | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.5 · High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N