CVE-2026-12064

NameCVE-2026-12064
DescriptionWhen a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u13fixed
bullseye (security)7.74.0-1.3+deb11u16fixed
bookworm7.88.1-10+deb12u15vulnerable
bookworm (security)7.88.1-10+deb12u5vulnerable
trixie8.14.1-2+deb13u4vulnerable
forky8.20.0-5vulnerable
sid8.21.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebullseye(not affected)
curlsource(unstable)8.21.0~rc3-1

Notes

[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <postponed> (Minor issue; needs schemeless URL with --proto-default sftp/scp)
[bullseye] - curl <not-affected> (Vulnerable code introduced in 7.81.0; bullseye ships 7.74.0)
https://curl.se/docs/CVE-2026-12064.html
Introduced with: https://github.com/curl/curl/commit/18270893abdb19f0ca170c118f8a2847dbd304be (curl-7_81_0)
Fixed by: https://github.com/curl/curl/commit/ab3bb8cd8be8f9d4acb97da0418abc279182041e (rc-8_21_0-3, curl-8_21_0)

Search for package or bug name: Reporting problems