CVE-2026-9545
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
03/07/2026
Última modificación:
03/07/2026
Descripción
*** Pendiente de traducción *** In this scenario, libcurl first uses a proper HTTP/3 server for the initial<br />
transfers, and when it makes a second transfer to the same site it has been<br />
replaced by the attacker&#39;s impostor machine - without a valid certificate.<br />
<br />
When libcurl returns to the hostname the second time with a cached SSL session<br />
(`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the<br />
`CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might<br />
send off the second request&#39;s bytes on that new connection *before* enforcing<br />
the certificate verification failure. Potentially leaking sensitive<br />
information.



