new file mode 100644
@@ -0,0 +1,315 @@
+From 48d71bc976572aaf09c63ab86b5165762450a507 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 14 Apr 2026 08:51:44 +0200
+Subject: [PATCH] urldata: move cookiehost to struct SingleRequest
+
+To make it scoped for the single request appropriately.
+
+Reported-by: Muhamad Arga Reksapati
+
+Verify with libtest 2504: a custom Host *disabled* on reused handle
+
+Closes #21312
+
+CVE: CVE-2026-6276
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db]
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ lib/http.c | 14 +++---
+ lib/request.c | 3 ++
+ lib/request.h | 3 ++
+ lib/url.c | 2 +-
+ lib/urldata.h | 3 --
+ tests/data/Makefile.am | 2 +-
+ tests/data/test2504 | 52 +++++++++++++++++++++
+ tests/libtest/Makefile.inc | 2 +-
+ tests/libtest/lib2504.c | 93 ++++++++++++++++++++++++++++++++++++++
+ 9 files changed, 162 insertions(+), 12 deletions(-)
+ create mode 100644 tests/data/test2504
+ create mode 100644 tests/libtest/lib2504.c
+
+diff --git a/lib/http.c b/lib/http.c
+index 188da5fd83..7ebbdfa551 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2002,6 +2002,9 @@ static CURLcode http_set_aptr_host(struct Curl_easy *data)
+ data->state.first_remote_protocol = conn->scheme->protocol;
+ }
+ Curl_safefree(aptr->host);
++#ifndef CURL_DISABLE_COOKIES
++ Curl_safefree(data->req.cookiehost);
++#endif
+
+ ptr = Curl_checkheaders(data, STRCONST("Host"));
+ if(ptr && (!data->state.this_is_a_follow ||
+@@ -2037,8 +2040,7 @@ static CURLcode http_set_aptr_host(struct Curl_easy *data)
+ if(colon)
+ *colon = 0; /* The host must not include an embedded port number */
+ }
+- curlx_free(aptr->cookiehost);
+- aptr->cookiehost = cookiehost;
++ data->req.cookiehost = cookiehost;
+ }
+ #endif
+
+@@ -2538,8 +2540,8 @@ static CURLcode http_cookies(struct Curl_easy *data,
+
+ if(data->cookies && data->state.cookie_engine) {
+ bool okay;
+- const char *host = data->state.aptr.cookiehost ?
+- data->state.aptr.cookiehost : data->conn->host.name;
++ const char *host = data->req.cookiehost ?
++ data->req.cookiehost : data->conn->host.name;
+ Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
+ result = Curl_cookie_getlist(data, data->conn, &okay, host, &list);
+ if(!result && okay) {
+@@ -3545,8 +3547,8 @@ static CURLcode http_header_s(struct Curl_easy *data,
+ if(v) {
+ /* If there is a custom-set Host: name, use it here, or else use
+ * real peer hostname. */
+- const char *host = data->state.aptr.cookiehost ?
+- data->state.aptr.cookiehost : conn->host.name;
++ const char *host = data->req.cookiehost ?
++ data->req.cookiehost : conn->host.name;
+ const bool secure_context = Curl_secure_context(conn, host);
+ CURLcode result;
+ Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
+diff --git a/lib/request.c b/lib/request.c
+index 66077530d7..765dbac058 100644
+--- a/lib/request.c
++++ b/lib/request.c
+@@ -113,6 +113,9 @@ void Curl_req_hard_reset(struct SingleRequest *req, struct Curl_easy *data)
+ struct curltime t0 = { 0, 0 };
+
+ Curl_safefree(req->newurl);
++#ifndef CURL_DISABLE_COOKIES
++ Curl_safefree(req->cookiehost);
++#endif
+ Curl_client_reset(data);
+ if(req->sendbuf_init)
+ Curl_bufq_reset(&req->sendbuf);
+diff --git a/lib/request.h b/lib/request.h
+index 5332d48538..6e4bd0fb6e 100644
+--- a/lib/request.h
++++ b/lib/request.h
+@@ -95,6 +95,9 @@ struct SingleRequest {
+ char *newurl; /* Set to the new URL to use when a redirect or a retry is
+ wanted */
+
++#ifndef CURL_DISABLE_COOKIES
++ char *cookiehost;
++#endif
+ #ifndef CURL_DISABLE_COOKIES
+ unsigned char setcookies;
+ #endif
+diff --git a/lib/url.c b/lib/url.c
+index ec0457bcdd..b9e308add2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -304,7 +304,7 @@ CURLcode Curl_close(struct Curl_easy **datap)
+ Curl_safefree(data->state.aptr.ref);
+ Curl_safefree(data->state.aptr.host);
+ #ifndef CURL_DISABLE_COOKIES
+- Curl_safefree(data->state.aptr.cookiehost);
++ Curl_safefree(data->req.cookiehost);
+ #endif
+ #ifndef CURL_DISABLE_RTSP
+ Curl_safefree(data->state.aptr.rtsp_transport);
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 5ae148054b..d71337c8f6 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1052,9 +1052,6 @@ struct UrlState {
+ char *rangeline;
+ char *ref;
+ char *host;
+-#ifndef CURL_DISABLE_COOKIES
+- char *cookiehost;
+-#endif
+ #ifndef CURL_DISABLE_RTSP
+ char *rtsp_transport;
+ #endif
+diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
+index 53abf60901..da0f8f55d4 100644
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -264,7 +264,7 @@ test2309 \
+ \
+ test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 \
+ \
+-test2500 test2501 test2502 test2503 \
++test2500 test2501 test2502 test2503 test2504 \
+ \
+ test2600 test2601 test2602 test2603 test2604 test2605 \
+ \
+diff --git a/tests/data/test2504 b/tests/data/test2504
+new file mode 100644
+index 0000000000..8cec1c8210
+--- /dev/null
++++ b/tests/data/test2504
+@@ -0,0 +1,52 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++HTTP
++cookies
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data crlf="headers" nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: server.example.com
++Content-Length: 47
++Set-Cookie: sid=SECRET123; Path=/
++
++file contents should appear once for each file
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<tool>
++lib%TESTNUMBER
++</tool>
++<name>
++custom Host with cookie, handle reuse, no custom Host:
++</name>
++<command>
++http://%HOSTIP:%HTTPPORT
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="headers">
++GET / HTTP/1.1
++Host: victim.internal
++Accept: */*
++
++GET / HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Accept: */*
++
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index e3202804a9..2319bafe72 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -113,7 +113,7 @@ TESTS_C = \
+ lib2023.c lib2032.c lib2082.c \
+ lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c \
+ lib2402.c lib2404.c lib2405.c \
+- lib2502.c \
++ lib2502.c lib2504.c \
+ lib2700.c \
+ lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c \
+ lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c \
+diff --git a/tests/libtest/lib2504.c b/tests/libtest/lib2504.c
+new file mode 100644
+index 0000000000..72b965d6e6
+--- /dev/null
++++ b/tests/libtest/lib2504.c
+@@ -0,0 +1,93 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Linus Nielsen Feltzing <linus@haxx.se>
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++#include "first.h"
++
++#include "testtrace.h"
++
++static size_t sink2504(char *ptr, size_t size, size_t nmemb, void *ud)
++{
++ (void)ptr;
++ (void)ud;
++ return size * nmemb;
++}
++
++static void dump_cookies2504(CURL *h, const char *tag)
++{
++ struct curl_slist *cookies = NULL;
++ struct curl_slist *nc;
++ CURLcode rc = curl_easy_getinfo(h, CURLINFO_COOKIELIST, &cookies);
++
++ curl_mprintf("== %s ==\n", tag);
++ if(rc) {
++ curl_mprintf("getinfo error: %d\n", (int)rc);
++ return;
++ }
++ for(nc = cookies; nc; nc = nc->next)
++ puts(nc->data);
++ curl_slist_free_all(cookies);
++}
++
++static CURLcode test_lib2504(const char *URL)
++{
++ CURL *curl;
++ CURLcode result = CURLE_OUT_OF_MEMORY;
++ struct curl_slist *hdrs = NULL;
++
++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
++ curl_mfprintf(stderr, "curl_global_init() failed\n");
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ curl = curl_easy_init();
++ if(!curl) {
++ curl_mfprintf(stderr, "curl_easy_init() failed\n");
++ curl_global_cleanup();
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ hdrs = curl_slist_append(hdrs, "Host: victim.internal");
++ if(hdrs) {
++ test_setopt(curl, CURLOPT_WRITEFUNCTION, sink2504);
++ test_setopt(curl, CURLOPT_COOKIEFILE, "");
++ test_setopt(curl, CURLOPT_HTTPHEADER, hdrs);
++ test_setopt(curl, CURLOPT_URL, URL);
++
++ result = curl_easy_perform(curl);
++ curl_mprintf("req1=%d\n", (int)result);
++ dump_cookies2504(curl, "after request 1");
++
++ test_setopt(curl, CURLOPT_HTTPHEADER, NULL);
++ test_setopt(curl, CURLOPT_URL, URL);
++
++ result = curl_easy_perform(curl);
++ curl_mprintf("req2=%d\n", (int)result);
++ dump_cookies2504(curl, "after request 2");
++ }
++test_cleanup:
++ curl_slist_free_all(hdrs);
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++
++ return result;
++}
@@ -161,6 +161,7 @@ RDEPENDS:${PN}-ptest += " \
perl-module-memoize \
perl-module-storable \
perl-module-time-hires \
+ file://CVE-2026-6276.patch \
"
PACKAGES =+ "lib${BPN}"