CVE-2026-9545
exposing HTTP/3 early data
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.
When libcurl returns to the hostname the second time with a cached SSL session (CURLOPT_SSL_SESSIONID_CACHE is not disabled) and early data enabled (the CURLSSLOPT_EARLYDATA bit is set in CURLOPT_SSL_OPTIONS), libcurl might send off the second request's
bytes on that new connection before enforcing the certificate verification failure. Potentially leaking sensitive information.
INFO
This flaw is HTTP/3 specific (and only for the ngtcp2 + nghttp3 backend), which is only used for HTTPS:// URLs.
This bug is not considered a C mistake (not likely to have been avoided had we not been using C).
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-9545 to this issue.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 8.11.0 to and including 8.20.0
- Not affected versions: curl < 8.11.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/962097b8dd44ed5b9
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Avoid using TLS early data
TIMELINE
This issue was reported to the curl project on May 19, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Eunsoo Kim (Autonomous Code Security team at Microsoft)
- Patched-by: Stefan Eissing
Thanks a lot!