🔐 CVE Alert

CVE-2026-9545

UNKNOWN 0.0

exposing HTTP/3 early data

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.

Vendor curl
Product curl
Published Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for curl curl

Be the first to know when new unknown vulnerabilities affecting curl curl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

curl / curl
8.20.0 ≤ 8.20.0 8.19.0 ≤ 8.19.0 8.18.0 ≤ 8.18.0 8.17.0 ≤ 8.17.0 8.16.0 ≤ 8.16.0 8.15.0 ≤ 8.15.0 8.14.1 ≤ 8.14.1 8.14.0 ≤ 8.14.0 8.13.0 ≤ 8.13.0 8.12.1 ≤ 8.12.1 8.12.0 ≤ 8.12.0 8.11.1 ≤ 8.11.1 8.11.0 ≤ 8.11.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
curl.se: https://curl.se/docs/CVE-2026-9545.json curl.se: https://curl.se/docs/CVE-2026-9545.html hackerone.com: https://hackerone.com/reports/3752888

Credits

Eunsoo Kim (Autonomous Code Security team at Microsoft) Stefan Eissing