CVE-2026-9545 PUBLISHED

exposing HTTP/3 early data

Assigner: curl
Reserved: 26.05.2026 Published: 03.07.2026 Updated: 03.07.2026

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.

When libcurl returns to the hostname the second time with a cached SSL session (CURLOPT_SSL_SESSIONID_CACHE is not disabled) and early data enabled (the CURLSSLOPT_EARLYDATA bit is set in CURLOPT_SSL_OPTIONS), libcurl might send off the second request's bytes on that new connection before enforcing the certificate verification failure. Potentially leaking sensitive information.

Product Status

Vendor curl
Product curl
Versions Default: unaffected
  • affected from 8.20.0 to 8.20.0 (incl.)
  • affected from 8.19.0 to 8.19.0 (incl.)
  • affected from 8.18.0 to 8.18.0 (incl.)
  • affected from 8.17.0 to 8.17.0 (incl.)
  • affected from 8.16.0 to 8.16.0 (incl.)
  • affected from 8.15.0 to 8.15.0 (incl.)
  • affected from 8.14.1 to 8.14.1 (incl.)
  • affected from 8.14.0 to 8.14.0 (incl.)
  • affected from 8.13.0 to 8.13.0 (incl.)
  • affected from 8.12.1 to 8.12.1 (incl.)
  • affected from 8.12.0 to 8.12.0 (incl.)
  • affected from 8.11.1 to 8.11.1 (incl.)
  • affected from 8.11.0 to 8.11.0 (incl.)

Credits

  • Eunsoo Kim (Autonomous Code Security team at Microsoft) finder
  • Stefan Eissing remediation developer

References

Problem Types

  • CWE-200 Exposure of Sensitive Information to an Unauthorized Actor