PatchSiren

curl CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH curl CVE published 2026-07-03

CVE-2026-9547

A libcurl-based application performing transfers via `SCP://` or `SFTP://` and utilizing the `CURLOPT_SSH_KEYFUNCTION` callback may silently accept an untrusted server. This occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. The vulnerability allows the connection to succeed without warning, potentially leading [truncated]

HIGH curl CVE published 2026-07-03

CVE-2026-9546

The CVE record for CVE-2026-9546 was published on 2026-07-03T07:16:25.893Z and has not been modified since then. The NVD entry is currently Analyzed. This vulnerability affects libcurl, causing the HTTP Referer: header to persist even when explicitly cleared. Users of libcurl, particularly those handling sensitive information, should be aware of this vulnerability and take steps to mitigate it. The vulner [truncated]

HIGH curl CVE published 2026-07-03

CVE-2026-9545

libcurl's improper certificate validation can lead to sensitive information disclosure when using a cached SSL session without verifying the certificate on a second transfer to the same site. This occurs when libcurl returns to the hostname with a cached SSL session and early data enabled. The vulnerability has a HIGH CVSS score of 7.5, indicating a high priority for mitigation.

HIGH curl CVE published 2026-07-03

CVE-2026-9080

CVE-2026-9080 is a use-after-free vulnerability in libcurl, occurring when calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback. This triggers a use-after-free vulnerability because libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed. The vulnerability has been assigned a CVSS score of 7.3 and a severity o [truncated]

CRITICAL curl CVE published 2026-07-03

CVE-2026-9079

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them. This critical vulnerability affects libcurl versions between 8.8.0 and 8.21.0. Users of libcurl, particularly those using versions between 8.8.0 and 8.21.0, should review and apply patches to mi [truncated]

HIGH curl CVE published 2026-07-03

CVE-2026-8932

CVE-2026-8932 is a vulnerability in libcurl that allows for the reuse of previously created connections even when certain mTLS configuration options have been changed. This issue arises from libcurl's connection pooling mechanism, which did not properly account for changes to TLS settings related to client certificates. The vulnerability stems from the connection pooling mechanism of libcurl, which mainta [truncated]

CRITICAL curl CVE published 2026-07-03

CVE-2026-8926

A critical vulnerability was discovered in curl, a popular command-line tool for transferring data with URLs. The vulnerability occurs when asking curl to use a `.netrc` file to find credentials and specifying a URL with a username (without a password). In such cases, curl could wrongly get and use the password for another user set in the `.netrc` file for that host if such a one exists and there is no ma [truncated]

CRITICAL curl CVE published 2026-07-03

CVE-2026-8925

A critical vulnerability was found in curl's SASL authentication logic, which could lead to a double free condition. This occurs when the GSASL context is cleaned up twice without clearing the pointer in between, resulting in a `free()` of the same pointer twice. The vulnerability affects curl versions 8.15.0 to 8.21.0, and users of these versions should be aware of this vulnerability and take steps to mi [truncated]

CRITICAL curl CVE published 2026-07-03

CVE-2026-8924

A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains. The vulnerability has significant operational impact, particularly for users of curl who transfer data with URLs, as it could allow att [truncated]

HIGH curl CVE published 2026-07-03

CVE-2026-8286

A vulnerability exists in Curl where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not. This issue has been assigned a CVSS score of 8.1 and a severity of HIGH. The vulnerability affects users of Curl who utilize STARTTLS for upgrading connections, potentially leading to security issues includin [truncated]

CRITICAL curl CVE published 2026-07-03

CVE-2026-11856

CVE-2026-11856 is a critical vulnerability in libcurl that wrongly passes on the `Authorization:` header field. This occurs when using libcurl to do a transfer to a specific HTTP origin and then changing the origin for a second transfer, reusing the same handle. The vulnerability has a CVSS score of 9.8 and is classified as CRITICAL. Users of libcurl, particularly those using Digest authentication, should [truncated]

HIGH curl CVE published 2026-07-03

CVE-2026-11586

CVE-2026-11586 is a high-severity vulnerability in Curl, a popular command-line tool for transferring data. The vulnerability has a CVSS score of 7.5 and can be exploited by a malicious server to exhaust all available memory by flooding Curl with rapid, sequential PING messages. This vulnerability affects users of Curl, especially those who use it to transfer data over the internet. The vulnerability is c [truncated]

CRITICAL curl CVE published 2026-07-03

CVE-2026-11564

A critical vulnerability was found in libcurl, a popular open-source library used for transferring data with URLs. The issue allows libcurl to keep previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. This can lead to security issues if an easy handle that first uses default native CA trust continues trusting the native platform store after t [truncated]

HIGH curl CVE published 2026-07-03

CVE-2026-11352

CVE-2026-11352 is a remote denial of service vulnerability in curl’s QUIC UDP receive function. A malicious HTTP/3 server can trigger this vulnerability against a curl or libcurl client by continuously streaming empty datagrams to indefinitely stall the client. This issue affects users of curl or libcurl clients, particularly those using version 8.18.0 up to but not including 8.21.0.

CRITICAL curl CVE published 2026-07-03

CVE-2026-10536

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the rese [truncated]

HIGH curl CVE published 2023-12-12

CVE-2024-2466

A vulnerability in libcurl's mbedTLS integration causes complete TLS certificate validation bypass when connecting to hosts specified as IP addresses. The flaw affects Siemens SINEC NMS and potentially other products using vulnerable libcurl builds with mbedTLS. CISA published advisory ICSA-24-319-04 on November 12, 2024, coordinating with Siemens' security advisory SSA-331112. The vulnerability is not li [truncated]

HIGH curl CVE published 2023-12-12

CVE-2024-2398

CVE-2024-2398 is a memory leak vulnerability in libcurl that occurs when HTTP/2 server push is enabled and the received headers exceed the maximum allowed limit of 1000. When libcurl aborts the server push under this condition, it fails to free all previously allocated headers, resulting in memory leakage. The error condition fails silently, making detection difficult for applications. The vulnerability w [truncated]

MEDIUM curl CVE published 2023-12-12

CVE-2024-2379

libcurl, when built with wolfSSL, contains a flaw in its QUIC connection handling where certificate verification is incorrectly skipped under specific error conditions. If an application requests an unknown or unsupported cipher or curve, the resulting error path fails to perform certificate validation and returns a success status, effectively ignoring certificate problems. This vulnerability affects Siem [truncated]

MEDIUM curl CVE published 2023-12-12

CVE-2024-2004

CVE-2024-2004 is a protocol selection logic flaw in curl that affects Siemens SINEC NMS. When the `--proto` option is used to disable all protocols without subsequently enabling any, the default protocol set incorrectly remains in the allowed set due to an error in the removal logic. This could allow a request to proceed using a protocol that was explicitly disabled, such as plaintext HTTP. The vulnerabil [truncated]