CVE-2026-9545
UnknownSummary
A vulnerability in libcurl allows sending request data before SSL/TLS certificate verification when using cached SSL sessions and early data enabled during HTTP/3 transitions. An attacker can replace the server with an unauthorized machine lacking a valid certificate, potentially leaking sensitive information.
Risk Assessment
The risk involves potential disclosure of confidential data sent in HTTP requests, such as authorization tokens or personal data, before libcurl validates the server certificate. This could enable an attacker to intercept this data in a man-in-the-middle scenario.
Recommendation
Immediately update libcurl to a patched version. As a temporary workaround, disable SSL session caching (CURLOPT_SSL_SESSIONID_CACHE) or early data (CURLSSLOPT_EARLYDATA) in applications using libcurl.
Original NVD description (English source)
In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.

