2461200 – (CVE-2026-4873) CVE-2026-4873 curl: curl: Information disclosure due to incorrect TLS connection reuse

Bug 2461200 (CVE-2026-4873) - CVE-2026-4873 curl: curl: Information disclosure due to incorrect TLS connection reuse

Summary: CVE-2026-4873 curl: curl: Information disclosure due to incorrect TLS connect...

Keywords:
Status:	NEW
Alias:	CVE-2026-4873
Deadline:	2026-04-29
Product:	Security Response
Classification:	Other
Component:	vulnerability-draft
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-23 16:47 UTC by OSIDB Bzimport
Modified:	2026-04-30 09:52 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-23 16:47:32 UTC

A flaw was found in curl. A remote attacker could exploit this by initiating an unencrypted connection (via IMAP, SMTP, or POP3) and then making a subsequent request to the same host that requires Transport Layer Security (TLS). Due to incorrect connection reuse, the subsequent request would bypass the TLS requirement, leading to the transmission of sensitive information in cleartext. This vulnerability, categorized as Cleartext Transmission of Sensitive Information (CWE-319), results in information disclosure.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
bbrownin
crizzo
csutherl
dbosanac
jclere
jmitchel
jreimann
kaycoth
kshier
mdessi
mrizzi
pbohmill
pcattana
pjindal
plodge
rhel-process-autobot
sdawley
security-response-team
stcannon
szappis
teagle
vchlup
watson-tool-maintainers
yguenane