CVE-2026-9545

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/07/2026
Last modified:
03/07/2026

Description

In this scenario, libcurl first uses a proper HTTP/3 server for the initial<br /> transfers, and when it makes a second transfer to the same site it has been<br /> replaced by the attacker&amp;#39;s impostor machine - without a valid certificate.<br /> <br /> When libcurl returns to the hostname the second time with a cached SSL session<br /> (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the<br /> `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might<br /> send off the second request&amp;#39;s bytes on that new connection *before* enforcing<br /> the certificate verification failure. Potentially leaking sensitive<br /> information.

Impact