Skip to main content

curl EUVDEUVD-2026-41493

| CVE-2026-9545 HIGH
7.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
3.7 LOW

Active MITM plus non-default early-data opt-in raises complexity to AC:H; no client auth so PR:N; only request data leaks, giving C:H with I:N/A:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jul 06, 2026 - 18:50 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 18:49 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 18:47 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 18:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 18:22 NVD
7.5 (HIGH)
Analysis Generated
Jun 24, 2026 - 18:26 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Information disclosure in libcurl (curl 8.11.0 through 8.20.0) allows a network man-in-the-middle to capture sensitive request data when TLS early data (0-RTT) is combined with SSL session ID caching. If an application enables the CURLSSLOPT_EARLYDATA bit and leaves the session cache active, libcurl can transmit a resumed request's bytes on a reconnection before it enforces a certificate verification failure, so an attacker who impersonates the original host without a valid certificate may receive the leaked data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish MITM position on client's network path
Delivery
Impersonate target host without valid certificate
Exploit
Client reconnects reusing cached TLS session
Execution
libcurl sends request as 0-RTT early data
Persist
Certificate verification fails after data already sent
Impact
Attacker captures leaked sensitive request bytes

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following to hold simultaneously: the libcurl-based application must have set the CURLSSLOPT_EARLYDATA bit in CURLOPT_SSL_OPTIONS (TLS 0-RTT is OFF by default); CURLOPT_SSL_SESSIONID_CACHE must remain enabled (the default) so a resumable session exists; and a prior successful transfer to the host must have populated the session cache. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:H) treats this as trivially exploitable network confidentiality loss, but that score understates the real preconditions: exploitation requires (1) an application that explicitly enabled TLS early data - a non-default setting - and (2) an attacker already positioned as an active man-in-the-middle able to impersonate the target host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application built on libcurl enables TLS early data for performance and makes repeated requests to a host (e.g., an API endpoint) carrying authentication headers or cookies. An attacker with a network position - via ARP/DNS spoofing, rogue Wi-Fi, or route hijack - impersonates that host on the client's second connection without a valid certificate; libcurl resumes the cached session and transmits the request's 0-RTT bytes to the impostor before the certificate check aborts, leaking the sensitive headers. …
Remediation Patch available per vendor advisory - upgrade to the fixed curl/libcurl release identified at https://curl.se/docs/CVE-2026-9545.html (a released patched version tag is not independently confirmed in the input, so consult the advisory for the exact fixed version), and on Ubuntu apply the packages from USN-8487-1 (https://ubuntu.com/security/notices/USN-8487-1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications using libcurl versions 8.11.0-8.20.0 and determine whether CURLSSLOPT_EARLYDATA and session cache are enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Curl

View all
CVE-2013-0249 HIGH POC
7.5 Mar 08

Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7

CVE-2015-3145 HIGH
7.5 Apr 24

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which

CVE-2022-32221 CRITICAL POC
9.8 Dec 05

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t

CVE-2022-32207 CRITICAL POC
9.8 Jul 07

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the

CVE-2018-0500 CRITICAL POC
9.8 Jul 11

Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that mig

CVE-2023-23914 CRITICAL POC
9.1 Feb 23

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functional

CVE-2023-27534 HIGH POC
8.8 Mar 30

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly re

CVE-2023-27533 HIGH POC
8.8 Mar 30

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an atta

CVE-2025-0665 HIGH POC
7.0 Feb 05

A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, cau

CVE-2022-27778 HIGH POC
8.1 Jun 02

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used

CVE-2021-22901 HIGH POC
8.1 Jun 11

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when

CVE-2020-8177 HIGH POC
7.8 Dec 14

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead to

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

EUVD-2026-41493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy