CVE-2025-14017

Publication date 8 January 2026

Last updated 27 February 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

6.3 · Medium

Score breakdown

Description

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Status

Package Ubuntu Release Status
curl 25.10 questing
Fixed 8.14.1-2ubuntu1.1
25.04 plucky Ignored end of life, was needs-triage
24.04 LTS noble
Fixed 8.5.0-2ubuntu10.7
22.04 LTS jammy
Fixed 7.81.0-1ubuntu1.22
20.04 LTS focal
Vulnerable
18.04 LTS bionic
Vulnerable
16.04 LTS xenial
Vulnerable
14.04 LTS trusty
Vulnerable

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
curl

Severity score breakdown

Parameter Value
Base score 6.3 · Medium
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-8062-1
    • curl vulnerabilities
    • 25 February 2026

Other references