vulnerability

Rocky Linux: CVE-2025-9086: curl (Multiple Advisories)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Jan 30, 2026	Feb 2, 2026	Mar 31, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Jan 30, 2026

Added

Feb 2, 2026

Modified

Mar 31, 2026

Description

1. A cookie is set using the `secure` keyword for `https://target`
2. curl is redirected to or otherwise made to speak with `http://target` (same
hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (`path=\"/\",`).
Since this site is not secure, the cookie *should* just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer
boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

Solutions

rocky-upgrade-curlrocky-upgrade-curl-debuginforocky-upgrade-curl-debugsourcerocky-upgrade-curl-minimalrocky-upgrade-curl-minimal-debuginforocky-upgrade-libcurlrocky-upgrade-libcurl-debuginforocky-upgrade-libcurl-develrocky-upgrade-libcurl-minimalrocky-upgrade-libcurl-minimal-debuginfo

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today