SB20250918119 - Fedora 42 update for curl

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20250918119

SB20250918119 - Fedora 42 update for curl

Published: September 18, 2025

Security Bulletin ID SB20250918119
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2025-9086)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when reading cookie path. A malicious server can set a specially crafted cookie path using the secure keyword, trigger an out-of-bounds read error and crash the application.


2) Use of insufficiently random values (CVE-ID: CVE-2025-10148)

The vulnerability allows a remote attacker to perform cache poisoning. 

The vulnerability exists due to the websocket code does not update the 32 bit mask pattern for each new outgoing frame as the specification says.Instead it used a fixed mask that persisted and was used throughout the entire connection. As a result, a malicious server can induce traffic between the two communicating parties that can be interpreted by an involved proxy and poison cached content. 


Remediation

Install update from vendor's website.

References