CVE-2026-11856

Publication date 24 June 2026

Last updated 7 July 2026


Ubuntu priority

Description

Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.

Read the notes from the security team

Status

Package Ubuntu Release Status
curl 26.04 LTS resolute Ignored changes too intrusive
25.10 questing Ignored changes too intrusive
24.04 LTS noble Ignored changes too intrusive
22.04 LTS jammy Ignored changes too intrusive
20.04 LTS focal Ignored changes too intrusive
18.04 LTS bionic Ignored changes too intrusive
16.04 LTS xenial Ignored changes too intrusive
14.04 LTS trusty Ignored changes too intrusive

Notes


kkernick

This fix is predicated on Curl_creds, which was introduced in 8f71d0f in 8.21, and several subsequent commits adding to it.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
curl

Access our resources on patching vulnerabilities