CVE-2026-8932
UnknownSummary
libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. Specifically, settings related to the private key were left out from the configuration match checks.
Risk Assessment
The organization may unknowingly use outdated client certificates or private keys, potentially leading to unauthorized access or violation of mTLS security policies.
Recommendation
Update libcurl to a version that fixes the mTLS configuration matching checks, and ensure all connections are renegotiated after changing client certificate-related options.
Original NVD description (English source)
libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

