<Vulnerability name="CVE-2026-8924">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-03T06:15:04</PublicDate>
    <Bugzilla id="2496765" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496765" xml:lang="en:us">
curl: curl: Cookie injection via malicious HTTP server using super cookies
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-565</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set
'super cookies' that bypass the Public Suffix List check. This enables an
attacker-controlled origin to inject cookies that curl subsequently scopes and
transmits to unrelated third-party domains.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in curl's cookie parsing logic. A malicious HTTP server can exploit this by setting 'super cookies' that bypass the Public Suffix List check. This allows an attacker-controlled origin to inject cookies that curl then transmits to unrelated third-party domains, leading to compromising request integrity.
    </Details>
    <Statement xml:lang="en:us">
Moderate: Red Hat rates this flaw Moderate (CVSS 6.5) compared to CISA's Critical (9.1). The scoring difference is due to two factors: first, exploitation requires the victim's curl to connect using a trailing-dot hostname (e.g., https://example.co.uk.), a format that is uncommon in practice and incompatible with TLS SNI; second, the direct impact is cookie injection into outbound requests — not exfiltration of victim data to the attacker. The curl project itself rates this flaw Low severity. Red Hat products that use curl for HTTP communication are affected, but the trailing-dot precondition significantly limits real-world exploitability. This flaw has not been shown to enable impacts beyond session integrity modification.
    </Statement>
    <Mitigation xml:lang="en:us">
Do not use trailing-dot hostnames in URLs passed to curl. Trailing dots are uncommon and incompatible with TLS SNI. Upgrade to curl 8.21.0 to resolve
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-24T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:29017">RHSA-2026:29017</Advisory>
        <Package name="curl-main">curl-main-8.21.0-0.1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-02T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:34975">RHSA-2026:34975</Advisory>
        <Package name="rust-main">rust-main-1.96.1-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>devspaces/code-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:trusted_profile_analyzer:2">
        <ProductName>Red Hat Trusted Profile Analyzer</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhtpa/rhtpa-trustification-service-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-8924
https://nvd.nist.gov/vuln/detail/CVE-2026-8924
https://curl.se/docs/CVE-2026-8924.html
https://curl.se/docs/CVE-2026-8924.json
https://hackerone.com/reports/3733905
    </References>
</Vulnerability>