CVE-2026-8458
UnknownSummary
The libcurl library may in some circumstances reuse the wrong connection when asked to perform Negotiate-authenticated requests, even when they are configured for different services. A logical error in the connection pool management code causes a request to incorrectly reuse an existing connection to the same server that was authenticated for different services.
Risk Assessment
The risk involves potential breach of authentication isolation between different services on the same server. This could lead to unauthorized access to resources or privilege escalation if the application relies on separation of Negotiate authentication contexts.
Recommendation
It is recommended to immediately update the libcurl library to a version containing the fix for the logical error in connection pool management. Also review the configuration of applications using Negotiate authentication and consider temporarily disabling connection reuse for sensitive services.
Original NVD description (English source)
libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.

