Skip to main content

libcurl CVE-2026-11564

| EUVDEUVD-2026-41499 CRITICAL
Improper Certificate Validation (CWE-295)
Critical
Disputed · 9.1 Vendor
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (CNA) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network vector but AC:H because it needs an app that switches CA source on a reused handle plus a MITM attacker holding a natively-trusted cert; high C/I impact via TLS interception, no availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
6.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Updated
Jul 06, 2026 - 18:35 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 18:35 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 18:22 NVD
9.1 (CRITICAL)
Analysis Generated
Jun 24, 2026 - 18:24 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

TLS certificate-trust confusion in libcurl (curl 8.17.0 through 8.20.0) lets a reused pooled connection retain trust in the native platform CA store even after the application reconfigures the same easy handle to use custom CA material for a later transfer. An attacker positioned to intercept traffic could present a certificate valid under the native store - which the application intended to no longer trust - to silently intercept or spoof the connection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MITM position on victim network
Delivery
App reuses easy handle after CA switch
Exploit
Present cert trusted by native store
Execution
libcurl reuses stale native-trust decision
Impact
Intercept or tamper TLS traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires a specific application behavior: reusing one libcurl easy handle across transfers while changing its CA trust source from the default native platform store to custom CA material (or vice versa) between those transfers, so that a pooled connection carries the earlier native-trust decision into a transfer meant to use stricter custom CA validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:N, score 9.1) treats this as a trivially exploitable network attack, but the description implies materially higher complexity: exploitation requires (1) a specific application coding pattern that switches CA material on a reused handle, and (2) an active MITM position holding a certificate trusted by the victim's native store. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application first performs a TLS transfer trusting the OS native CA store, then reuses the same easy handle for a second request after switching it to a private, custom CA bundle intended to restrict which issuers are accepted. An attacker on the network path presents a certificate that chains to a publicly/natively trusted CA; libcurl reuses the prior connection's native-trust decision and accepts it, allowing the attacker to read or tamper with data the application believed was protected by the stricter custom CA. …
Remediation Patch available per vendor advisory (https://curl.se/docs/CVE-2026-11564.html) - upgrade libcurl to the fixed release above 8.20.0 once it is deployed by your distribution or vendor; the provided data does not include an exact fixed version number, so confirm it against the curl advisory rather than assuming one. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all systems running libcurl 8.17.0-8.20.0 and identify which applications use connection pooling with custom CA material reconfiguration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Curl

View all
CVE-2013-0249 HIGH POC
7.5 Mar 08

Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7

CVE-2015-3145 HIGH
7.5 Apr 24

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which

CVE-2022-32221 CRITICAL POC
9.8 Dec 05

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t

CVE-2022-32207 CRITICAL POC
9.8 Jul 07

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the

CVE-2018-0500 CRITICAL POC
9.8 Jul 11

Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that mig

CVE-2023-23914 CRITICAL POC
9.1 Feb 23

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functional

CVE-2023-27534 HIGH POC
8.8 Mar 30

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly re

CVE-2023-27533 HIGH POC
8.8 Mar 30

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an atta

CVE-2025-0665 HIGH POC
7.0 Feb 05

A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, cau

CVE-2022-27778 HIGH POC
8.1 Jun 02

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used

CVE-2021-22901 HIGH POC
8.1 Jun 11

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when

CVE-2020-8177 HIGH POC
7.8 Dec 14

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead to

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP6-CHOST-BYOS Not-Affected
SLES15-SP6-CHOST-BYOS-Aliyun Not-Affected
SLES15-SP6-CHOST-BYOS-Azure Not-Affected
SLES15-SP6-CHOST-BYOS-EC2 Not-Affected

Share

CVE-2026-11564 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy