CVE-2025-14017

Name of the Vulnerable Software and Affected Versions libcurl versions prior to 7.87.0-150400.7.26.1 openSUSE Leap 15.6 (affected versions not specified) SUSE Linux Enterprise Server 15 SP4 (affected versions not specified)

Description The issue relates to libcurl's handling of TLS options during multi-threaded LDAPS (LDAP over TLS) transfers. Modifying TLS options within one thread unintentionally alters them globally, potentially impacting other concurrent transfers. Specifically, disabling certificate verification for a single transfer could inadvertently disable it for all threads. This could lead to insecure connections and potential compromise of sensitive data. The issue is also described as a heap buffer overflow in curl, potentially allowing Remote Code Execution (RCE) via malicious SOCKS5 proxy responses.

Recommendations Update libcurl to version 7.87.0-150400.7.26.1 or later. Apply the security update SUSE-2026-0078-1. Update openSUSE Leap 15.6 to the latest available version. Update SUSE Linux Enterprise Server 15 SP4 to the latest available version.