Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3108 articles · 171957 vulns · 37/41 feeds (7d)
← Back to list
7.5
CVE-2026-9545
curl · curl

exposing HTTP/3 early data

Description

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.

Affected Products

VendorProductVersions
curlcurl8.20.0, 8.19.0, 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0

References

  • https://curl.se/docs/CVE-2026-9545.json
  • https://curl.se/docs/CVE-2026-9545.html
  • https://hackerone.com/reports/3752888

Related News (2 articles)

Tier A
Microsoft MSRC2h ago
CVE-2026-9545 exposing HTTP/3 early data
→ No new info (linked only)
Tier C
VulDB4d ago
CVE-2026-9545 | curl libcURL up to 8.20.0 Certificate information disclosure
→ No new info (linked only)
CVSS 3.17.5 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA KEV❌ No
Actively exploited❌ No
PublishedJul 3, 2026
Last enriched4d agov2
Trending Score56
Source articles2
Independent2
Info Completeness6/14
Missing: cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-8926EXP
password leak with netrc and user in URL
Trending: 77
CRITICALCVE-2026-10536
HTTP/2 stream-dependency tree UAF
Trending: 68
CRITICALCVE-2026-8924
trailing dot domain super cookie
Trending: 68
CRITICALCVE-2026-9080EXP
UAF after pause in socket callback
Trending: 61
HIGHCVE-2026-8286
wrong STARTTLS connection reuse
Trending: 59

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: severity
Jul 3, 2026

Version History

v2
Last enriched 4d ago
v2Tier C4d ago

Updated severity to HIGH and clarified that no exploit is available.

severity
via VulDB
v14d ago

Initial creation