PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9545 curl CVE debrief

libcurl's improper certificate validation can lead to sensitive information disclosure when using a cached SSL session without verifying the certificate on a second transfer to the same site. This occurs when libcurl returns to the hostname with a cached SSL session and early data enabled. The vulnerability has a HIGH CVSS score of 7.5, indicating a high priority for mitigation.

Vendor
curl
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Users of libcurl, especially those using HTTP/3 with early data enabled, should be aware of this vulnerability and take steps to mitigate it. This includes updating libcurl to version 8.21.0 or later, disabling CURLOPT_SSL_SESSIONID_CACHE or CURLOPT_SSL_OPTIONS with CURLSSLOPT_EARLYDATA, and monitoring for unusual traffic or errors.

Technical summary

libcurl's improper certificate validation can lead to sensitive information disclosure when using a cached SSL session without verifying the certificate on a second transfer to the same site. This occurs when libcurl returns to the hostname with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`). The vulnerability has a HIGH CVSS score of 7.5, indicating a high priority for mitigation. Affected products using libcurl with HTTP/3 and early data enabled should review and update their configurations. Defenders should verify affected deployments, review official advisories, and monitor for unusual traffic or errors to prevent potential exploitation.

Defensive priority

High priority due to HIGH CVSS score and potential for sensitive information disclosure.

Recommended defensive actions

  • Update libcurl to version 8.21.0 or later
  • Disable CURLOPT_SSL_SESSIONID_CACHE or CURLOPT_SSL_OPTIONS with CURLSSLOPT_EARLYDATA
  • Monitor for unusual traffic or errors
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

CVE-2026-9545 has been analyzed by NVD and has a CVSS score of 7.5. The vulnerability affects libcurl's use of cached SSL sessions without proper certificate verification, potentially leading to sensitive information disclosure. Evidence is limited to public sources and vendor advisories. Defenders should verify affected deployments, review official advisories, and monitor for unusual traffic or errors.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T07:16:25.807Z and has not been modified since then. The NVD entry is currently Analyzed.