Ubuntu fixes multiple curl security flaws across supported releases
Ubuntu has released USN-8487-1 to address multiple curl vulnerabilities that could expose credentials, weaken connection security, enable denial of service, or in some cases possibly allow code execution on affected systems.

Key takeaways
- Ubuntu Security Notice USN-8487-1 addresses multiple curl vulnerabilities across several supported Ubuntu releases.
- The issues include risks involving TLS configuration reuse, credential exposure, cookie handling, denial of service, and possible code execution in specific cases.
- Affected versions vary by CVE, so defenders should verify exposure by Ubuntu release and curl usage in their environment.
- Applying Ubuntu security updates and validating curl-dependent applications should be the immediate response priority.
Research integrity
Intro
Ubuntu has published USN-8487-1 to fix a broad set of curl vulnerabilities affecting multiple supported releases. The advisory covers weaknesses tied to connection reuse, authentication handling, cookie parsing, proxy credential clearing, TLS behavior, and memory safety.
Because curl is deeply embedded in operating systems, automation pipelines, scripts, backup jobs, package workflows, and application stacks, these issues deserve attention even when curl is not used directly by end users.
Why it matters
This notice is notable for both its breadth and the range of security impacts described.
According to Ubuntu, the patched issues include:
- unintended reuse of live connections during STARTTLS-based upgrades with mismatched TLS settings (CVE-2026-8286)
- incorrect connection reuse for Negotiate-authenticated requests across different services, which could expose access to resources authenticated for another service (CVE-2026-8458)
- cookie parsing behavior that could allow cookies to be sent to unrelated third-party domains (CVE-2026-8924)
- a double-free in GSASL handling that could lead to denial of service or possibly arbitrary code execution (CVE-2026-8925)
- incorrect .netrc password selection that could expose sensitive information (CVE-2026-8926)
- proxy authentication state and credential clearing flaws that could expose sensitive credentials (CVE-2026-8927 and CVE-2026-9079)
- a use-after-free involving
curl_easy_pause()in an event-based socket callback, with possible denial of service or code execution impact (CVE-2026-9080) - early TLS data being sent before certificate verification failure is enforced, creating a possible machine-in-the-middle information exposure scenario (CVE-2026-9545)
- improper rejection of host key type mismatches for SCP and SFTP when using the SSH key callback, creating a possible server impersonation risk in machine-in-the-middle conditions (CVE-2026-9547)
Importantly, the Ubuntu notice does not state that these flaws are being actively exploited. The defensive takeaway is to treat them as patching priorities based on where curl is used in your environment and which Ubuntu releases are in scope.
Who should care
This alert is especially relevant for:
- Linux and Ubuntu administrators maintaining supported Ubuntu fleets
- DevOps and platform teams running automation, CI/CD jobs, or orchestration workflows that depend on curl
- Security teams monitoring credential exposure and network trust boundaries
- Developers shipping applications that link against libcurl or invoke curl for API access, file transfer, authentication, or proxy-aware traffic
- Organizations using SCP or SFTP workflows through curl-backed tooling
The advisory spans multiple Ubuntu versions, including Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS, but not every CVE affects every release.
Practical response
Defenders should take a measured, operational approach:
Identify affected systems
Inventory Ubuntu hosts, containers, golden images, and workloads that include curl or libcurl.Match exposure by release
Review USN-8487-1 carefully, since several CVEs apply only to specific Ubuntu versions.Apply Ubuntu security updates promptly
Prioritize internet-facing systems, automation hosts, integration servers, and systems handling sensitive credentials or authenticated transfers.Review curl-dependent workflows
Pay special attention to:- STARTTLS-based connections
- Negotiate-authenticated requests
- proxy-authenticated traffic
.netrcusage- SCP/SFTP transfers
- applications using libcurl event-based callbacks or SASL-related functionality
Validate post-update behavior
After patching, test critical scripts and services to confirm authentication flows, proxy handling, file transfer operations, and TLS validation behave as expected.Reduce credential exposure risk
Where practical, audit stored credentials, rotate sensitive secrets if exposure is a concern, and minimize reliance on inherited or persistent authentication state in automated jobs.
Bottom line
USN-8487-1 is a high-importance maintenance alert for Ubuntu environments that rely on curl. While the issues vary in scope and affected releases, the advisory includes multiple paths to credential exposure, trust-boundary failures, denial of service, and in limited cases possible code execution.
For defenders, the message is straightforward: patch affected Ubuntu systems, verify which curl use cases exist in your environment, and validate security-sensitive workflows after updating.
Frequently asked questions
What is USN-8487-1?
USN-8487-1 is an Ubuntu Security Notice covering multiple vulnerabilities in curl, a widely used tool and library for transferring data with URLs.
Are all Ubuntu releases affected by every issue?
No. The notice states that several vulnerabilities only affect specific Ubuntu releases, so organizations should review the advisory carefully against their deployed versions.
What should defenders do first?
Prioritize patching affected Ubuntu systems, then review services, scripts, and applications that rely on curl for network communications, authentication, or file transfers.




