An update for curl is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2453 Final 1.0 1.0 2026-05-22 Initial 2026-05-22 2026-05-22 openEuler SA Tool V1.0 2026-05-22 curl security update An update for curl is now available for openEuler-24.03-LTS-SP3 cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.(CVE-2026-4873) libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...(CVE-2026-5545) libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.(CVE-2026-5773) curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy(CVE-2026-6253) Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.(CVE-2026-6276) When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.(CVE-2026-6429) Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.(CVE-2026-7168) An update for curl is now available for openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High curl https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2453 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-4873 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-5545 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-5773 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6253 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6276 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6429 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-7168 https://nvd.nist.gov/vuln/detail/CVE-2026-4873 https://nvd.nist.gov/vuln/detail/CVE-2026-5545 https://nvd.nist.gov/vuln/detail/CVE-2026-5773 https://nvd.nist.gov/vuln/detail/CVE-2026-6253 https://nvd.nist.gov/vuln/detail/CVE-2026-6276 https://nvd.nist.gov/vuln/detail/CVE-2026-6429 https://nvd.nist.gov/vuln/detail/CVE-2026-7168 openEuler-24.03-LTS-SP3 curl-8.4.0-29.oe2403sp3.aarch64.rpm curl-debuginfo-8.4.0-29.oe2403sp3.aarch64.rpm curl-debugsource-8.4.0-29.oe2403sp3.aarch64.rpm libcurl-8.4.0-29.oe2403sp3.aarch64.rpm libcurl-devel-8.4.0-29.oe2403sp3.aarch64.rpm curl-8.4.0-29.oe2403sp3.src.rpm curl-8.4.0-29.oe2403sp3.x86_64.rpm curl-debuginfo-8.4.0-29.oe2403sp3.x86_64.rpm curl-debugsource-8.4.0-29.oe2403sp3.x86_64.rpm libcurl-8.4.0-29.oe2403sp3.x86_64.rpm libcurl-devel-8.4.0-29.oe2403sp3.x86_64.rpm curl-help-8.4.0-29.oe2403sp3.noarch.rpm A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted. 2026-05-22 CVE-2026-4873 openEuler-24.03-LTS-SP3 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N curl security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2453 libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1... 2026-05-22 CVE-2026-5545 openEuler-24.03-LTS-SP3 Medium 6.5 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N curl security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2453 libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same. 2026-05-22 CVE-2026-5773 openEuler-24.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N curl security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2453 curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy 2026-05-22 CVE-2026-6253 openEuler-24.03-LTS-SP3 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H curl security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2453 Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them. 2026-05-22 CVE-2026-6276 openEuler-24.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H curl security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2453 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. 2026-05-22 CVE-2026-6429 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N curl security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2453 Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`. 2026-05-22 CVE-2026-7168 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N curl security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2453