CVE-2026-11564
Native CA trust persist
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.
An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
INFO
The effect of this flaw can lead to curl accepting server TLS certificates as fine that would otherwise not be, since setting custom ones is often a way to narrow or limit the set that otherwise is deemed fine with the Native CA store.
This issue applies to builds that use the "Native CA" by default, which can be done for Apple operating systems or Windows.
This flaw exists when libcurl is built to use the OpenSSL, GnuTLS, Schannel or Rustls TLS backends.
This bug is not considered a C mistake (not likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-11564 to this issue.
CWE-295: Improper Certificate Validation
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 8.17.0 to and including 8.20.0
- Not affected versions: curl < 8.17.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/eefd03c572996e5de4dec4fe
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Avoid reusing easy handles with different CA options
TIMELINE
This issue was reported to the curl project on June 5, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Filipe Casal of Trail of Bits in collaboration with OpenAI
- Patched-by: Stefan Eissing
Thanks a lot!