CVE-2026-9545
ADVISORY - debianSummary
In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (CURLOPT_SSL_SESSIONID_CACHE is not disabled) and early data enabled (the CURLSSLOPT_EARLYDATA bit is set in CURLOPT_SSL_OPTIONS), libcurl might send off the second request's bytes on that new connection before enforcing the certificate verification failure. Potentially leaking sensitive information.
- curl 8.21.0~rc2-1 [trixie] - curl (Minor issue) [bookworm] - curl (Vulnerable code not present) [bullseye] - curl (Vulnerable code not present) https://curl.se/docs/CVE-2026-9545.html Introduced with: https://github.com/curl/curl/commit/962097b8dd44ed5b9e7984bc1cdffdbdd566857f (curl-8_11_0) Fixed by: https://github.com/curl/curl/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e (rc-8_21_0-1, curl-8_21_0)
EPSS Score: 0.00134 (0.032)
Common Weakness Enumeration (CWE)
Alpine
CREATED
UPDATED
ADVISORY IDCVE-2026-9545
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Debian
CREATED
UPDATED
ADVISORY IDCVE-2026-9545
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AlowUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-9545
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-