CVE-2026-4873

Publication date 29 April 2026

Last updated 4 May 2026

Description

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host will bypass the TLS requirement and instead transmit data unencrypted.

Read the notes from the security team

Why is this CVE low priority?

This flaw requires a rather special series of events to trigger. Such a series is unlikely to be used much in the wild.

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
curl	26.04 LTS resolute	Fixed 8.18.0-1ubuntu2.1
	25.10 questing	Fixed 8.14.1-2ubuntu1.3
	24.04 LTS noble	Fixed 8.5.0-2ubuntu10.9
	22.04 LTS jammy	Fixed 7.81.0-1ubuntu1.24
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Vulnerable

Notes

ebarretto

Introduced-in: https://github.com/curl/curl/commit/ec3bb8f727405642a

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
curl	Upstream: 507e7be

References

Related Ubuntu Security Notices (USN)

USN-8227-1
curl vulnerabilities
4 May 2026