ALPINE-CVE-2026-11564

Source
https://security.alpinelinux.org/vuln/CVE-2026-11564
Import Source
https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-11564.json
JSON Data
https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-11564
Upstream
  • CVE-2026-11564
Published
2026-07-03T07:16:23.790Z
Modified
2026-07-08T09:30:04.964046563Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.

An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

References

Affected packages

Alpine:v3.24 / curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.17.0
Fixed
8.21.0-r0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-11564.json"