CVE-2026-11564

Source
https://cve.org/CVERecord?id=CVE-2026-11564
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11564.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11564
Aliases
Downstream
Related
Published
2026-07-03T06:12:35.251Z
Modified
2026-07-10T10:14:31.138299488Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Native CA trust persist
Details

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.

An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "8.20.0"
                },
                {
                    "last_affected": "8.20.0"
                },
                {
                    "introduced": "8.19.0"
                },
                {
                    "last_affected": "8.19.0"
                },
                {
                    "introduced": "8.18.0"
                },
                {
                    "last_affected": "8.18.0"
                },
                {
                    "introduced": "8.17.0"
                },
                {
                    "last_affected": "8.17.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11564.json",
    "cna_assigner": "curl"
}
References

Affected packages

Git / github.com/curl/curl

Affected ranges

Type
GIT
Repo
https://github.com/curl/curl
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "8.17.0"
        },
        {
            "fixed": "8.21.0"
        }
    ]
}

Affected versions

Other
curl-8_17_0
curl-8_18_0
curl-8_19_0
curl-8_20_0
rc-8_18_0-1
rc-8_18_0-2
rc-8_18_0-3
rc-8_19_0-1
rc-8_19_0-2
rc-8_19_0-3
rc-8_20_0-1
rc-8_20_0-2
rc-8_20_0-3
rc-8_21_0-1
rc-8_21_0-2
rc-8_21_0-3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11564.json"