CVE Vulnerabilities

CVE-2026-9545

Published: Jul 03, 2026 | Modified: Jul 07, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
LOW
root.io logo minimus.io logo echo.ai logo

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attackers impostor machine - without a valid certificate.

When libcurl returns to the hostname the second time with a cached SSL session (CURLOPT_SSL_SESSIONID_CACHE is not disabled) and early data enabled (the CURLSSLOPT_EARLYDATA bit is set in CURLOPT_SSL_OPTIONS), libcurl might send off the second requests bytes on that new connection before enforcing the certificate verification failure. Potentially leaking sensitive information.

Affected Software

NameVendorStart VersionEnd Version
CurlHaxx8.11.0 (including)8.21.0 (excluding)
CurlUbuntudevel*
CurlUbuntuquesting*
CurlUbunturesolute*
CurlUbuntuupstream*

References