CVE-2026-9545

curl · curl

A flaw in libcurl's HTTP/3 implementation allows for potential information leakage when an attacker replaces a legitimate server with an impostor during a cached SSL session.

Executive summary

An unauthenticated attacker can exploit a flaw in curl 8.11.0 through 8.20.0 to perform unauthorized data transmission before certificate verification failure occurs.

Vulnerability

This HTTP/3-specific vulnerability occurs when libcurl attempts a second transfer to a site that has been replaced by an impostor. The client may prematurely send request bytes on a new connection before the certificate verification failure is enforced, potentially leaking sensitive information.

Business impact

The CVSS score of 7.5 (High) highlights the risk of sensitive data exposure. In scenarios where an attacker can intercept traffic, this vulnerability allows for the leakage of request data to an unauthorized party, potentially leading to the compromise of sensitive credentials or private business information.

Remediation

Immediate Action: Update to curl version 8.21.0 or later to resolve the certificate verification timing issue.

Proactive Monitoring: Monitor for unusual network latency or connection errors during HTTP/3 handshakes which may indicate an attempt to exploit connection caching.

Compensating Controls: If patching is delayed, consider disabling HTTP/3 support (QUIC) in the affected application until the update can be applied.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations should prioritize the update to version 8.21.0 to mitigate the risk of information leakage during HTTP/3 transfers. Given the complexity of the exploit, ensuring that all client libraries are fully patched is the most reliable defense.