Critical curl Security Update for openSUSE 15.4: Patch for CVE-2026-1965 and More

A critical openSUSE security update for curl (CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-3805) is now available for Leap 15.4 and SUSE Linux Enterprise. This patch addresses high-severity vulnerabilities including HTTP Negotiate connection reuse flaws, token leaks via netrc, and SMB use-after-free exploits. System administrators must prioritize patching with zypper to mitigate credential exposure and data corruption risks. Full package lists and remediation commands inside.

In the ever-evolving landscape of cybersecurity, even the most fundamental tools can become vectors for sophisticated attacks. On March 17, 2026, SUSE released a critical security advisory (SUSE-SU-2026:0911-1) addressing four high-impact vulnerabilities in curl, the ubiquitous command-line tool and library for transferring data. 

For system administrators and security professionals managing openSUSE Leap 15.4 or SUSELinux Enterprise (SLE) distributions, understanding and applying this update is not just a matter of routine maintenance—it's an essential step in safeguarding infrastructure integrity. 

This patch remediates flaws that could lead to credential leakage, unauthorized data access, and application instability, particularly in enterprise environments where curl is deeply integrated into automation, application development, and system operations.

The Vulnerabilities: A Technical Deep Dive

This security update resolves four distinct Common Vulnerabilities and Exposures (CVEs), each with its own attack vector and potential impact. The common thread is improper connection handling and credential management within curl's operations. Below, we break down each vulnerability to explain the technical risk and why immediate action is required.

CVE-2026-1965: HTTP Negotiate Connection Reuse Flaw (CVSS 7.5)

Description: 

This vulnerability stems from improper reuse of HTTP connections when the Negotiate authentication method is used. In affected versions, a connection that was previously authenticated with Negotiate could be reused for a different request without properly resetting the security context. 

This flaw, tracked in SUSE bug bsc#1259362, could allow an attacker to perform operations under a different user's authenticated session.

Impact: 

The primary risk is authentication bypass. If an attacker can control the request destination or influence connection reuse (e.g., through a man-in-the-middle position or malicious redirect), they could hijack a legitimate user's credentials to access protected resources.

CVSS Vector: 

The SUSE CVSS:3.1 score of 7.5 (High) highlights the potential for serious confidentiality and integrity impacts. The vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N indicates a local attack vector with high attack complexity, but the scope change and high impact on confidentiality and integrity underscore its severity.

CVE-2026-3783: Netrc Token Leak via Redirect (CVSS 5.3)

Description: 

This issue involves a token leak when curl follows HTTP redirects while using a .netrc file for credentials. If a request is redirected from one host to another, the authentication tokens intended for the original host could be inadvertently sent to the destination host (bsc#1259363).

Impact: 

This constitutes a credential disclosure vulnerability. An attacker could set up a malicious server that redirects a curl request to a target site while capturing the .netrc credentials sent along. This is particularly dangerous in automated scripts where .netrc is used for password-less authentication.

NVD Analysis: 

The National Vulnerability Database (NVD) rates this with a base score of 5.3 (Medium) using the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, emphasizing the network-based attack vector and the low complexity required for exploitation.

CVE-2026-3784: Proxy Connection Reuse with Credentials (CVSS 6.5)

Description: 

A logic error in how curl manages proxy connections leads to improper reuse when different credentials are involved (bsc#1259364). When a connection pool is used, a proxy connection established with one set of credentials might be reused for a request requiring different credentials.

Impact: 

This flaw could lead to requests being sent through a proxy using incorrect authentication contexts. In multi-tenant environments or shared hosting, this might result in one user's traffic being unintentionally routed or authenticated as another user, potentially leading to information disclosure or request failures.

CVSS Breakdown: 

The NVD assigns a 6.5 (Medium) score to CVE-2026-3784, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. This reflects the network attack vector and the potential for partial integrity and confidentiality impacts without requiring user interaction.

CVE-2026-3805: Use-After-Free in SMB Connection Reuse (CVSS 7.5)

Description: 

The most severe of the quartet, CVE-2026-3805, is a classic memory corruption issue—a use-after-free vulnerability—in curl's handling of Server Message Block (SMB) connection reuse (bsc#1259365). When an SMB connection is closed but not properly removed from the connection cache, a subsequent request might attempt to use the already-freed memory.

Impact: 

Use-after-free vulnerabilities are notoriously dangerous. An attacker who can trigger this condition could cause a denial of service (application crash) or potentially execute arbitrary code on the affected system.

Severity Assessment: 

The NVD gives this vulnerability a CVSS score of 7.5 (High), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The focus here is on availability impact, but in memory corruption scenarios, the potential for code execution often escalates the real-world risk significantly.

Affected Products and Environments

This update is critical for a wide swath of the SUSE ecosystem. System administrators should verify if their deployments are in the affected list below.

OpenSUSE and SUSE Linux Enterprise

The update impacts both the community-driven openSUSE and enterprise-grade SUSE Linux Enterprise distributions. Key affected products include:

• openSUSE Leap 15.4
• SUSE Linux Enterprise Server (SLES) 15 SP4 and SP5, including LTSS versions
• SUSE Linux Enterprise Desktop 15 SP4 and SP5
• SUSE Linux Enterprise High Performance Computing 15 SP4 and SP5 (including ESPOS and LTSS variants)
• SUSE Linux Enterprise Micro versions 5.3, 5.4, and 5.5 (including Rancher versions)
• SUSE Manager Proxy, Retail Branch Server, and Server 4.3

Did you know that SUSE Manager is also affected? 

If your infrastructure management layer runs on an affected version, its curl instance must be patched to prevent management operations from becoming a threat vector.

Remediation: Step-by-Step Patch Management

Applying this security update is straightforward using SUSE's robust package management tools. The updated packages bring curl to version 8.14.1-150400.5.80.1, which contains the backported security fixes.

Using Zypper (Command Line)

For most server and desktop installations, the zypper package manager is the recommended tool.

2. Apply the Specific Patch:

It's best practice to apply the specific patch ID to ensure only the security update is 

bash

# Example for openSUSE Leap 15.4
sudo zypper install -t patch SUSE-2026-911=1

For SLES or other specific products, use the corresponding patch ID from the advisory (e.g., SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-911=1).

3. Verify the Installation:

After the update, confirm the new version is active.

bash

curl --version

Using YaST (Graphical Interface)

For administrators who prefer a graphical tool, YaST provides a point-and-click method.

1. Open YaST and navigate to Software → Online Update.
2. Click on View and select Patches to see available security updates.
3. Locate the patch corresponding to SUSE-2026-911 or search for "curl".
4. Select the patch and click Accept to install.

Why is a reboot generally not required? Since curl is a user-space library and tool, applications using it need to be restarted to load the new version, but the system kernel remains unaffected. Services like web servers or cron jobs that call curl should be restarted to ensure they are using the patched libcurl4.

Strategic Insights for System Hardening

Beyond the immediate patching imperative, this security update highlights broader principles of infrastructure defense.

• The Danger of Connection Reuse: Three of the four CVEs (CVE-2026-1965, CVE-2026-3784, CVE-2026-3805) relate directly to connection reuse. This feature, designed for performance, can become a liability. Security architects should evaluate whether performance-enhancing features in critical software create unacceptable risk surfaces in their specific threat model. For highly sensitive environments, consider whether disabling connection pooling for authenticated sessions is a worthwhile trade-off.

• Credential Management Complexity: CVE-2026-3783 (netrc leak) serves as a stark reminder that credentials in transit are perpetually at risk. While .netrc files offer convenience, they centralize secrets in plain text on the file system. This vulnerability adds a network-based exfiltration risk to the existing file system exposure. Migration to more secure secret management solutions—like HashiCorp Vault, Kubernetes Secrets, or even environment variables with restricted scope—should be a long-term strategic goal.

• Third-Party Component Vigilance: curl is a perfect example of a "lowest common denominator" dependency. It is everywhere. This update underscores the necessity of a robust Software Bill of Materials (SBOM) strategy. Knowing exactly where curl (and other common libraries like OpenSSL or glibc) is used in your environment is the first step toward rapid incident response. Without an SBOM, a critical curl patch means a frantic, manual hunt through every server, container, and embedded system.

Conclusion: The Criticality of Proactive Patching

The release of SUSE-SU-2026:0911-1 is more than a routine security bulletin; it's a critical call to action for every organization relying on SUSE and openSUSE platforms. The quartet of vulnerabilities patched—ranging from authentication bypass (CVE-2026-1965) to credential leakage (CVE-2026-3783) and potential remote code execution (CVE-2026-3805)—poses a tangible risk to system confidentiality, integrity, and availability.

Delaying this update exposes your infrastructure to exploits that are likely to be reverse-engineered and weaponized quickly now that the patches are public. System administrators should leverage tools like zypper immediately to deploy the fixes. As we've seen, the core issue often lies not in a single line of code, but in the complex interactions of features like connection reuse and credential forwarding.

By understanding the technical nuances of these CVEs and implementing the provided remediation steps, you close critical security gaps. Use this event to review your broader credential management and dependency tracking strategies. The security of your entire stack often rests on the foundational tools you least suspect.

Frequently Asked Questions (FAQ)

Q1: How do I check my current curl version on openSUSE?

A: Run the command curl --version in your terminal. If the version is below 8.14.1-150400.5.80.1, your system is vulnerable and requires the update.

Q2: I use SUSE Linux Enterprise Server 15 SP4. Am I affected?

A: Yes, SLES 15 SP4 is listed as an affected product, specifically the base OS and the LTSS (Long Term Service Pack Support) version. You should apply the patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-911=1 using zypper.

Q3: What is the difference between the NVD and SUSE CVSS scores?

A: The National Vulnerability Database (NVD) provides a base score that is environment-agnostic. SUSE calculates its own scores, which may factor in the specific impact and context within SUSE products. Both are valid; SUSE's scores are often more relevant for prioritizing patches in a SUSE environment.

Q4: Will applying this update break my existing applications?

A: This is a security patch that is intended to be fully compatible with existing applications. However, it's always a best practice to test critical updates in a staging environment first, especially if your applications rely on specific curl behaviors related to connection handling or authentication, as these areas were directly modified.

Q5: Could you explain "use-after-free" in simpler terms?

A: Imagine checking a book out of the library, returning it, but still holding the old receipt with the book's location. If you then try to use that receipt to find the book again, you might end up in the wrong place or cause a problem because the spot could now hold a different book. In code, a "use-after-free" is when a program tries to access memory that has already been freed and potentially reallocated, leading to crashes or unpredictable behavior.