Vulnerability CVE-2025-14819: Information

Description

When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Severity: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2025-14819
Published: Jan. 8, 2026
Modified: Jan. 20, 2026
Error type identifier: CWE-295

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
curlsisyphus8.18.0-alt18.18.0-alt1ALT-PU-2026-1133-1404633Fixed
curlsisyphus_riscv648.18.0-alt18.18.0-alt1ALT-PU-2026-1147-1-Fixed
curlsisyphus_loongarch648.18.0-alt18.18.0-alt1ALT-PU-2026-1153-1-Fixed
curlp118.18.0-alt18.18.0-alt1ALT-PU-2026-1135-2404638Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://curl.se/docs/CVE-2025-14819.html
  • Vendor Advisory
  • Mitigation
  • Patch
https://curl.se/docs/CVE-2025-14819.json
  • Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/07/5
  • Mailing List
  • Third Party Advisory
  • Mitigation
  • Patch
    1. cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
      Start including
      7.87.0
      End excluding
      8.18.0
VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
Version: v25.10.0
Back to top