CVE-2026-9545

Summary

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.

When libcurl returns to the hostname the second time with a cached SSL session (CURLOPT_SSL_SESSIONID_CACHE is not disabled) and early data enabled (the CURLSSLOPT_EARLYDATA bit is set in CURLOPT_SSL_OPTIONS), libcurl might send off the second request's bytes on that new connection before enforcing the certificate verification failure. Potentially leaking sensitive information.

Affected Software

VendorProductVersion RangeStatus
curlcurl8.20.0 <= 8.20.0affected
curlcurl8.19.0 <= 8.19.0affected
curlcurl8.18.0 <= 8.18.0affected
curlcurl8.17.0 <= 8.17.0affected
curlcurl8.16.0 <= 8.16.0affected
curlcurl8.15.0 <= 8.15.0affected
curlcurl8.14.1 <= 8.14.1affected
curlcurl8.14.0 <= 8.14.0affected
curlcurl8.13.0 <= 8.13.0affected
curlcurl8.12.1 <= 8.12.1affected
curlcurl8.12.0 <= 8.12.0affected
curlcurl8.11.1 <= 8.11.1affected
curlcurl8.11.0 <= 8.11.0affected

Weaknesses

  • CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

References