2426408 – (CVE-2025-14819) CVE-2025-14819 curl: libcurl: Improper certificate validation due to cached TLS settings reuse

Bug 2426408 (CVE-2025-14819) - CVE-2025-14819 curl: libcurl: Improper certificate validation due to cached TLS settings reuse

Summary: CVE-2025-14819 curl: libcurl: Improper certificate validation due to cached T...

Keywords:
Status:	NEW
Alias:	CVE-2025-14819
Deadline:	2026-01-07
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-31 04:09 UTC by OSIDB Bzimport
Modified:	2026-04-08 08:40 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-31 04:09:18 UTC

When doing TLS related transfers with re-used easy or multi handles and
altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally
reuse a CA store cached in memory for which the partial chain option was
reversed. Contrary to the user's wishes and expectations. This could make
libcurl find and accept a trust chain that it otherwise would not.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
crizzo
csutherl
dbosanac
gtanzill
jbuscemi
jcantril
jclere
jmitchel
jreimann
kshier
mdessi
mrizzi
pbohmill
pcattana
pjindal
plodge
rojacob
sdawley
security-response-team
stcannon
szappis
teagle
vchlup
yguenane