2427870 – (CVE-2025-14017) CVE-2025-14017 curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers

Bug 2427870 (CVE-2025-14017) - CVE-2025-14017 curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers

Summary: CVE-2025-14017 curl: curl: Security bypass due to global TLS option changes i...

Keywords:
Status:	NEW
Alias:	CVE-2025-14017
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2428024 2428025 2428026 2428030 2428031 2428032 2428033 2428037 2428027 2428028 2428029 2428034 2428035 2428036
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-08 11:01 UTC by OSIDB Bzimport
Modified:	2026-01-08 16:12 UTC (History)
CC List:	24 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-08 11:01:41 UTC

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
and therefore possibly also affect other concurrently setup transfers.

Disabling certificate verification for a specific transfer could
unintentionally disable the feature for other threads as well.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
crizzo
csutherl
dbosanac
gtanzill
jbuscemi
jcantril
jclere
jmitchel
jreimann
kshier
mdessi
mrizzi
pbohmill
pcattana
pjindal
plodge
rojacob
sdawley
stcannon
szappis
teagle
vchlup
yguenane