CVE Catalog

CVE-2026-8932

Unknown
Published: Translated: NVD NIST

Summary

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. Specifically, settings related to the private key were left out from the configuration match checks.

Risk Assessment

The organization may unknowingly use outdated client certificates or private keys, potentially leading to unauthorized access or violation of mTLS security policies.

Recommendation

Update libcurl to a version that fixes the mTLS configuration matching checks, and ensure all connections are renegotiated after changing client certificate-related options.

Original NVD description (English source)

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS