CVE-2026-9545

N/A Unknown
Published: July 03, 2026 Modified: July 03, 2026
View on NVD

Description

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://curl.se/docs/CVE-2026-9545.html
Source: 2499f714-1537-4658-8207-48ae4bb9eae9
https://curl.se/docs/CVE-2026-9545.json
Source: 2499f714-1537-4658-8207-48ae4bb9eae9
https://hackerone.com/reports/3752888
Source: 2499f714-1537-4658-8207-48ae4bb9eae9

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
Exploitation Status
Not in CISA KEV