{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2024-7264: fix ASN.1 GTime2str() heap buffer over-read caused by\n off-by-one in fractional seconds length calculation", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776601980", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776601980" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/tuxcare9.6esu/advisories/2026/clsa-2026_1776601980.json" } ], "tracking": { "current_release_date": "2026-04-19T12:33:58Z", "generator": { "date": "2026-04-19T12:33:58Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1776601980", "initial_release_date": "2026-04-19T12:33:58Z", "revision_history": [ { "date": "2026-04-19T12:33:58Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "curl: Fix of CVE-2024-7264" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.6", "product": { "name": "AlmaLinux 9.6", "product_id": "AlmaLinux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Rocky Linux 9.6", "product": { "name": "Rocky Linux 9.6", "product_id": "Rocky Linux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:resf:rocky_linux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Rocky Linux" } ], "category": "vendor", "name": "Rocky Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product": { "name": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product_id": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.76.1-31.el9_6.1.tuxcare.els9?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product": { "name": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product_id": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.76.1-31.el9_6.1.tuxcare.els9?arch=i686" } } }, { "category": "product_version", "name": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product": { "name": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product_id": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-minimal@7.76.1-31.el9_6.1.tuxcare.els9?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product": { "name": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_id": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.76.1-31.el9_6.1.tuxcare.els9?arch=x86_64" } } }, { "category": "product_version", "name": "curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product": { "name": "curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_id": "curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/curl-minimal@7.76.1-31.el9_6.1.tuxcare.els9?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product": { "name": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_id": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.76.1-31.el9_6.1.tuxcare.els9?arch=x86_64" } } }, { "category": "product_version", "name": "curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product": { "name": "curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_id": "curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/curl@7.76.1-31.el9_6.1.tuxcare.els9?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product": { "name": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_id": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-minimal@7.76.1-31.el9_6.1.tuxcare.els9?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686" }, "product_reference": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686" }, "product_reference": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686" }, "product_reference": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686" }, "product_reference": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686" }, "product_reference": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686" }, "product_reference": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" }, "product_reference": "libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-7264", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-7264" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2024/07/31/1", "url": "http://www.openwall.com/lists/oss-security/2024/07/31/1" }, { "category": "external", "summary": "https://curl.se/docs/CVE-2024-7264.html", "url": "https://curl.se/docs/CVE-2024-7264.html" }, { "category": "external", "summary": "https://curl.se/docs/CVE-2024-7264.json", "url": "https://curl.se/docs/CVE-2024-7264.json" }, { "category": "external", "summary": "https://hackerone.com/reports/2629968", "url": "https://hackerone.com/reports/2629968" }, { "category": "external", "summary": "https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519", "url": "https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20240828-0008/", "url": "https://security.netapp.com/advisory/ntap-20240828-0008/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20241025-0006/", "url": "https://security.netapp.com/advisory/ntap-20241025-0006/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20241025-0010/", "url": "https://security.netapp.com/advisory/ntap-20241025-0010/" } ], "release_date": "2024-07-31T08:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-19T12:33:03.048435Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776601980", "product_ids": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776601980" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-14017", "cwe": { "id": "CWE-1058", "name": "Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element" }, "notes": [ { "category": "description", "text": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-14017" } ], "release_date": "2026-01-08T10:07:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-19T12:33:03.048435Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776601980", "product_ids": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776601980" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-46219", "cwe": { "id": "CWE-311", "name": "Missing Encryption of Sensitive Data" }, "notes": [ { "category": "description", "text": "When saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-46219" }, { "category": "external", "summary": "https://curl.se/docs/CVE-2023-46219.html", "url": "https://curl.se/docs/CVE-2023-46219.html" }, { "category": "external", "summary": "https://hackerone.com/reports/2236133", "url": "https://hackerone.com/reports/2236133" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20240119-0007/", "url": "https://security.netapp.com/advisory/ntap-20240119-0007/" }, { "category": "external", "summary": "https://www.debian.org/security/2023/dsa-5587", "url": "https://www.debian.org/security/2023/dsa-5587" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/" } ], "release_date": "2023-12-12T02:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-19T12:33:03.048435Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776601980", "product_ids": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776601980" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "AlmaLinux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:curl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-devel-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.i686", "Rocky Linux-9.6:libcurl-minimal-0:7.76.1-31.el9_6.1.tuxcare.els9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-28320", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "A denial of service vulnerability exists in curl