Incorrect Implementation of Authentication Algorithm Affecting rust-toolset package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS10-RUSTTOOLSET-15466900
- published12 Mar 2026
- disclosed11 Mar 2026
Introduced: 11 Mar 2026
NewCVE-2026-1965 (opens in a new tab)How to fix?
There is no fixed version for Centos:10 rust-toolset.
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-toolset package and not the rust-toolset package as distributed by Centos.
See How to fix? for Centos:10 relevant fixed versions and status.
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.
libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.
When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests, contrary to how HTTP is designed to work.
An application that allows Negotiate authentication to a server (that responds
wanting Negotiate) with user1:password1 and then does another operation to
the same server also using Negotiate but with user2:password2 (while the
previous connection is still alive) - the second request wrongly reused the
same connection and since it then sees that the Negotiate negotiation is
already made, it just sends the request over that connection thinking it uses
the user2 credentials when it is in fact still using the connection
authenticated for user1...
The set of authentication methods to use is set with CURLOPT_HTTPAUTH.
Applications can disable libcurl's reuse of connections and thus mitigate this
problem, by using one of the following libcurl options to alter how
connections are or are not reused: CURLOPT_FRESH_CONNECT,
CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using the
curl_multi API).