Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-9545

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
03/07/2026
Última modificación:
03/07/2026

Descripción

*** Pendiente de traducción *** In this scenario, libcurl first uses a proper HTTP/3 server for the initial<br /> transfers, and when it makes a second transfer to the same site it has been<br /> replaced by the attacker&amp;#39;s impostor machine - without a valid certificate.<br /> <br /> When libcurl returns to the hostname the second time with a cached SSL session<br /> (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the<br /> `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might<br /> send off the second request&amp;#39;s bytes on that new connection *before* enforcing<br /> the certificate verification failure. Potentially leaking sensitive<br /> information.

Impacto