PatchSiren cyber security CVE debrief
CVE-2026-9545 curl CVE debrief
libcurl's improper certificate validation can lead to sensitive information disclosure when using a cached SSL session without verifying the certificate on a second transfer to the same site. This occurs when libcurl returns to the hostname with a cached SSL session and early data enabled. The vulnerability has a HIGH CVSS score of 7.5, indicating a high priority for mitigation.
- Vendor
- curl
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Users of libcurl, especially those using HTTP/3 with early data enabled, should be aware of this vulnerability and take steps to mitigate it. This includes updating libcurl to version 8.21.0 or later, disabling CURLOPT_SSL_SESSIONID_CACHE or CURLOPT_SSL_OPTIONS with CURLSSLOPT_EARLYDATA, and monitoring for unusual traffic or errors.
Technical summary
libcurl's improper certificate validation can lead to sensitive information disclosure when using a cached SSL session without verifying the certificate on a second transfer to the same site. This occurs when libcurl returns to the hostname with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`). The vulnerability has a HIGH CVSS score of 7.5, indicating a high priority for mitigation. Affected products using libcurl with HTTP/3 and early data enabled should review and update their configurations. Defenders should verify affected deployments, review official advisories, and monitor for unusual traffic or errors to prevent potential exploitation.
Defensive priority
High priority due to HIGH CVSS score and potential for sensitive information disclosure.
Recommended defensive actions
- Update libcurl to version 8.21.0 or later
- Disable CURLOPT_SSL_SESSIONID_CACHE or CURLOPT_SSL_OPTIONS with CURLSSLOPT_EARLYDATA
- Monitor for unusual traffic or errors
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
CVE-2026-9545 has been analyzed by NVD and has a CVSS score of 7.5. The vulnerability affects libcurl's use of cached SSL sessions without proper certificate verification, potentially leading to sensitive information disclosure. Evidence is limited to public sources and vendor advisories. Defenders should verify affected deployments, review official advisories, and monitor for unusual traffic or errors.
Official resources
-
CVE-2026-9545 CVE record
CVE.org
-
CVE-2026-9545 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Patch, Vendor Advisory
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Vendor Advisory
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Exploit, Issue Tracking, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T07:16:25.807Z and has not been modified since then. The NVD entry is currently Analyzed.