CURL-CVE-2026-11564
- Source
- https://curl.se/docs/CVE-2026-11564.html
- Import Source
- https://curl.se/docs/CURL-CVE-2026-11564.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2026-11564
- Aliases
-
- CVE-2026-11564
- Published
- 2026-06-24T08:00:00Z
- Modified
- 2026-06-24T14:05:44.935409Z
- Summary
- Native CA trust persist
- Details
-
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.
An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
- Database specific
{ "package": "curl", "URL": "https://curl.se/docs/CVE-2026-11564.json", "last_affected": "8.20.0", "issue": "https://hackerone.com/reports/3788984", "affects": "lib", "severity": "Low", "www": "https://curl.se/docs/CVE-2026-11564.html", "CWE": { "desc": "Improper Certificate Validation", "id": "CWE-295" } }- References
-
- Credits
-
-
- Filipe Casal of Trail of Bits in collaboration with OpenAI - FINDER
-
- Stefan Eissing - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced8.17.0Fixed8.21.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
8.*
8.17.0
8.18.0
8.19.0
8.20.0
Other
curl-8_17_0
curl-8_18_0
curl-8_19_0
curl-8_20_0
rc-8_18_0-1
rc-8_18_0-2
rc-8_18_0-3
rc-8_19_0-1
rc-8_19_0-2
rc-8_19_0-3
rc-8_20_0-1
rc-8_20_0-2
rc-8_20_0-3
rc-8_21_0-1
Database specific
source
"https://curl.se/docs/CURL-CVE-2026-11564.json"
vanir_signatures_modified
"2026-06-24T14:05:44Z"
vanir_signatures
[
{
"target": {
"file": "lib/doh.c"
},
"id": "CURL-CVE-2026-11564-24e02116",
"source": "https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"302775823278107257376010104080087955513",
"97617786226625773204756887854767609273",
"323994837270150557893228277911646965977",
"124352082369572260332869994101778297790"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/setopt.c"
},
"id": "CURL-CVE-2026-11564-5f0d3993",
"source": "https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"23217085955828986166768215621606310863",
"308165344137762387752727279928685738450",
"6075924892823319252564576225283047149",
"36372276612001804071468005033279715052",
"243204596506456288681215357517799598213",
"126332111562982119894149435628780509019",
"205865318814149707476450480998634856703",
"252775927087418991579797964353814789966",
"67108505919061543761756659910617077704",
"209536936518143652635420974039466573757",
"162005562450787528482188643409929309684",
"302002523251660536530136067384603093198",
"308482075297322339167175923341257550928",
"233485150746860250736556601815041573352",
"298630953154758751552465245482003218203",
"35002392999829780323496408092320269884",
"304025561121675738817870550359852542086",
"90320436928761878358749542385342171234",
"155894444090082474991458118076836598998",
"339003768618514751803182703081944578192",
"31109148258097687901942967586384396080",
"205594225943540937968229580456377089752",
"85279513998772090686058037826502092365",
"268199957510615090081478220151847360925",
"2929703125878374716161777542937086173",
"213440804600212180817942617287987490141"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vtls/vtls_config.c",
"function": "Curl_ssl_easy_config_complete"
},
"id": "CURL-CVE-2026-11564-6bb6da89",
"source": "https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 4989.0,
"function_hash": "21443433544174325038658804853537595721"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/doh.c",
"function": "doh_probe_run"
},
"id": "CURL-CVE-2026-11564-6d85ea71",
"source": "https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 4063.0,
"function_hash": "71063295310151775568400902582687714843"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/setopt.c",
"function": "set_ssl_options"
},
"id": "CURL-CVE-2026-11564-8382c086",
"source": "https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 609.0,
"function_hash": "332182566022961669311125906850697230454"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vtls/vtls_config.c"
},
"id": "CURL-CVE-2026-11564-e26f3f84",
"source": "https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"72057766608019469650510981456286347713",
"239067064457248876313593037751839513770",
"196047359891183468016751644562362555385",
"137901476388031373544883218275547852614",
"151961004584591032126766202014258376036",
"142116908870379683503844951768374506065",
"322261561874347822703967645276417060350",
"256454111575766625853564110941242583516",
"302504703814018605226675339317784980340",
"132406900461261314861506075072761182303"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/setopt.c",
"function": "setopt_long_ssl"
},
"id": "CURL-CVE-2026-11564-fbb5c288",
"source": "https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1370.0,
"function_hash": "26599435492158053357627362200812826547"
},
"signature_version": "v1"
}
]