CVE-2026-11564 PUBLISHED

Native CA trust persist

Assigner: curl
Reserved: 08.06.2026 Published: 03.07.2026 Updated: 03.07.2026

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.

An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

Product Status

Vendor curl
Product curl
Versions Default: unaffected
  • affected from 8.20.0 to 8.20.0 (incl.)
  • affected from 8.19.0 to 8.19.0 (incl.)
  • affected from 8.18.0 to 8.18.0 (incl.)
  • affected from 8.17.0 to 8.17.0 (incl.)

Credits

  • Filipe Casal of Trail of Bits in collaboration with OpenAI finder
  • Stefan Eissing remediation developer

References

Problem Types

  • CWE-295 Improper Certificate Validation