{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-12T05:10:03Z",
  "bugzilla" : {
    "description" : "curl: libcurl: Curl out of bounds read for cookie path",
    "id" : "2394750",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2394750"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "1. A cookie is set using the `secure` keyword for `https://target` \n2. curl is redirected to or otherwise made to speak with `http://target` (same \nhostname, but using clear text HTTP) using the same cookie set \n3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).\nSince this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\nboundary\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.", "An out of bounds read flaw has been discovered in the curl project. Under specific conditions the path comparison logic makes curl read outside a heap buffer boundary. This bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-03T00:00:00Z",
    "advisory" : "RHSA-2026:1825",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "curl-0:8.12.1-2.el10_1.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-01-28T00:00:00Z",
    "advisory" : "RHSA-2026:1477",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "curl-0:8.12.1-1.el10_0.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-12-18T00:00:00Z",
    "advisory" : "RHSA-2025:23383",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "curl-0:7.61.1-34.el8_10.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-27T00:00:00Z",
    "advisory" : "RHSA-2026:1350",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "curl-0:7.76.1-35.el9_7.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-27T00:00:00Z",
    "advisory" : "RHSA-2026:1350",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "curl-0:7.76.1-35.el9_7.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-12-11T00:00:00Z",
    "advisory" : "RHSA-2025:23126",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "curl-0:7.76.1-14.el9_0.12"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-12-11T00:00:00Z",
    "advisory" : "RHSA-2025:23127",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "curl-0:7.76.1-23.el9_2.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-12-11T00:00:00Z",
    "advisory" : "RHSA-2025:23125",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "curl-0:7.76.1-29.el9_4.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23043",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "curl-0:7.76.1-31.el9_6.2"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1736",
    "cpe" : "cpe:/a:redhat:discovery:2::el9",
    "package" : "discovery/discovery-server-rhel9:sha256:519d4fe184cebe5152f840e9f609fa4705590656ac9bcace2e2e17622ab7e6a8"
  }, {
    "product_name" : "Red Hat Insights proxy 1.5",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2485",
    "cpe" : "cpe:/a:redhat:insights_proxy:1.5::el9",
    "package" : "insights-proxy/insights-proxy-container-rhel9:sha256:975a1e501a8520df83f3f4114e72a71384ff1866ec99c7a45fffbf8c76ef5cbc"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2563",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/installer-rhel9:sha256:48cf7cf48dfadb17f9357bf1894a5d0393551a893faa8b0ea0e11fe1ffed497f"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/cds-rhel9:sha256:200c27e9b396276bd505c6b41127ac5eb1d94d620172cb818ae733f2a21ac524"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/haproxy-rhel9:sha256:d98fd3fe5f5f9acd0efae7db19b61b864be1eb2fbe2586a1b6be2429fa2cc7a3"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/rhua-rhel9:sha256:5f1fbf66fb349a7baf066a1216d39989c3b89f18ec5108b96d9643baf4856778"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Fix deferred",
    "package_name" : "curl",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Fix deferred",
    "package_name" : "devspaces/code-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Fix deferred",
    "package_name" : "devspaces-tech-preview/idea-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat Trusted Profile Analyzer",
    "fix_state" : "Fix deferred",
    "package_name" : "rhtpa/rhtpa-trustification-service-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_profile_analyzer:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-9086\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9086\nhttps://curl.se/docs/CVE-2025-9086.html\nhttps://curl.se/docs/CVE-2025-9086.json\nhttps://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6\nhttps://hackerone.com/reports/3294999" ],
  "name" : "CVE-2025-9086",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}