transfers, and when it makes a second transfer to the same site it has been
replaced by the attacker's impostor machine - without a valid certificate.
When libcurl returns to the hostname the second time with a cached SSL session
(`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the
`CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might
send off the second request's bytes on that new connection *before* enforcing
the certificate verification failure. Potentially leaking sensitive
information.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Ubuntu USN |
USN-8487-1 | curl vulnerabilities |
Tue, 07 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-295 | |
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Mon, 06 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Mon, 06 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 CWE-287 |
Mon, 06 Jul 2026 01:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 CWE-287 |
Sun, 05 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 |
Sun, 05 Jul 2026 05:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 |
Sat, 04 Jul 2026 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-287 |
Sat, 04 Jul 2026 01:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-287 |
Fri, 03 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 |
Fri, 03 Jul 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 |
Fri, 03 Jul 2026 08:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Curl
Curl curl |
|
| Vendors & Products |
Curl
Curl curl |
Fri, 03 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information. | |
| Title | exposing HTTP/3 early data | |
| References |
|
Status: PUBLISHED
Assigner: curl
Published:
Updated: 2026-07-06T16:53:23.396Z
Reserved: 2026-05-26T06:45:08.680Z
Link: CVE-2026-9545
Updated: 2026-07-06T16:53:19.588Z
No data.
OpenCVE Enrichment
Updated: 2026-07-09T00:00:03Z
Ubuntu USN