CVE-2026-11856
Publication date 24 June 2026
Last updated 7 July 2026
Ubuntu priority
Description
Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| curl | 26.04 LTS resolute | Ignored changes too intrusive |
| 25.10 questing | Ignored changes too intrusive | |
| 24.04 LTS noble | Ignored changes too intrusive | |
| 22.04 LTS jammy | Ignored changes too intrusive | |
| 20.04 LTS focal | Ignored changes too intrusive | |
| 18.04 LTS bionic | Ignored changes too intrusive | |
| 16.04 LTS xenial | Ignored changes too intrusive | |
| 14.04 LTS trusty | Ignored changes too intrusive |
Notes
kkernick
This fix is predicated on Curl_creds, which was introduced in 8f71d0f in 8.21, and several subsequent commits adding to it.