CVE Vulnerabilities

CVE-2026-11564

Improper Certificate Validation

Published: Jul 03, 2026 | Modified: Jul 07, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Ubuntu
LOW
root.io logo minimus.io logo echo.ai logo

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.

An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

NameVendorStart VersionEnd Version
CurlHaxx8.17.0 (including)8.21.0 (excluding)
Red Hat Hardened ImagesRedHatcurl-main-8.21.0-0.1.hum1*
Red Hat Hardened ImagesRedHatrust-main-1.96.1-1.hum1*
CurlUbuntudevel*
CurlUbunturesolute*
CurlUbuntuupstream*

Potential Mitigations

References