CURL-CVE-2026-9545

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-9545.html

Import Source

https://curl.se/docs/CURL-CVE-2026-9545.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-9545

Aliases

CVE-2026-9545

Published

2026-06-24T08:00:00Z

Modified

2026-06-24T08:07:08.355546Z

Summary

exposing HTTP/3 early data

Details

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.

When libcurl returns to the hostname the second time with a cached SSL session (CURLOPT_SSL_SESSIONID_CACHE is not disabled) and early data enabled (the CURLSSLOPT_EARLYDATA bit is set in CURLOPT_SSL_OPTIONS), libcurl might send off the second request's bytes on that new connection before enforcing the certificate verification failure. Potentially leaking sensitive information.

Database specific

{
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2026-9545.json",
    "last_affected": "8.20.0",
    "issue": "https://hackerone.com/reports/3752888",
    "affects": "both",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2026-9545.html",
    "CWE": {
        "desc": "Exposure of Sensitive Information to an Unauthorized Actor",
        "id": "CWE-200"
    }
}

References

Credits

- Eunsoo Kim (Autonomous Code Security team at Microsoft) - FINDER
- Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.11.0

Fixed

8.21.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

962097b8dd44ed5b9e7984bc1cdffdbdd566857f

Fixed

7b9613fa9b1a5e04301a3920eef58e8138dad05e

Affected versions

8.*

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.19.0

8.20.0

Other

curl-8_11_0

curl-8_11_1

curl-8_12_0

curl-8_12_1

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_18_0

curl-8_19_0

curl-8_20_0

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

Database specific

source

"https://curl.se/docs/CURL-CVE-2026-9545.json"

vanir_signatures_modified

"2026-06-24T08:07:08Z"

vanir_signatures

[
    {
        "target": {
            "file": "lib/vquic/curl_ngtcp2.c",
            "function": "cf_ngtcp2_handshake_completed"
        },
        "id": "CURL-CVE-2026-9545-0d23da02",
        "source": "https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1860.0,
            "function_hash": "153317582380559109273442960860016262309"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/vquic/curl_ngtcp2.c"
        },
        "id": "CURL-CVE-2026-9545-54b362b4",
        "source": "https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "57837649208692003109394932325481589562",
                "148897155669795626335640653234286619658",
                "9221967505252324245084890594736647812",
                "229339314465024621466349949698476012120",
                "316992347216962730835430776133092520281",
                "138701791296620101350765089525540312140",
                "296327085920196481168568880711169351555",
                "5354081226792327714123399886029077496",
                "60630981963415792295832576530337112547",
                "123864576250417216190818910419145918435",
                "142835053885326796857721237189839522787",
                "192948789493812143984840421097894964353",
                "280733359488708788015184071526492175907",
                "111945068324397344898130947918406342943",
                "315163984305334991863463999532320024294",
                "61010276926023090237519678734162290207",
                "49355929218012117922133473512437199901",
                "7905145105583230885624546070173304809",
                "57003410938242733606680334162856661189",
                "299257298584114877497706458750155152547"
            ]
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/vquic/curl_ngtcp2.c",
            "function": "cf_ngtcp2_recv"
        },
        "id": "CURL-CVE-2026-9545-837feabc",
        "source": "https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1412.0,
            "function_hash": "225529865282307993815272211670638534898"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/vquic/curl_ngtcp2.c",
            "function": "cf_ngtcp2_send"
        },
        "id": "CURL-CVE-2026-9545-8e6fa72c",
        "source": "https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 2382.0,
            "function_hash": "126594513254768600204067746099346311735"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/vquic/curl_ngtcp2.c",
            "function": "cf_ngtcp2_connect"
        },
        "id": "CURL-CVE-2026-9545-d0afa7aa",
        "source": "https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 2392.0,
            "function_hash": "116844867287374578722968671244621372900"
        },
        "signature_version": "v1"
    }
]