{"id":"UBUNTU-CVE-2025-9086","details":"1. A cookie is set using the `secure` keyword for `https://target`  2. curl is redirected to or otherwise made to speak with `http://target` (same    hostname, but using clear text HTTP) using the same cookie set  3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).    Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer    boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.","modified":"2026-02-28T06:16:58.395956Z","published":"2025-09-10T07:00:00Z","related":["USN-8062-1"],"upstream":["CVE-2025-9086"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-9086"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-9086"},{"type":"REPORT","url":"https://curl.se/docs/CVE-2025-9086.html"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8062-1"}],"affected":[{"package":{"name":"curl","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/curl@8.14.1-2ubuntu1.1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.14.1-2ubuntu1.1"}]}],"versions":["8.12.1-3ubuntu1","8.13.0-5ubuntu1","8.14.1-1ubuntu2","8.14.1-1ubuntu3","8.14.1-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"curl","binary_version":"8.14.1-2ubuntu1.1"},{"binary_name":"libcurl3t64-gnutls","binary_version":"8.14.1-2ubuntu1.1"},{"binary_name":"libcurl4-gnutls-dev","binary_version":"8.14.1-2ubuntu1.1"},{"binary_name":"libcurl4-openssl-dev","binary_version":"8.14.1-2ubuntu1.1"},{"binary_name":"libcurl4t64","binary_version":"8.14.1-2ubuntu1.1"}],"availability":"No subscription required","priority_reason":"Curl developers have rated this as being low severity"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9086.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]}