{"id":"CURL-CVE-2026-11564","summary":"Native CA trust persist","details":"libcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup.\n\nAn easy handle that first uses default native CA trust can continue trusting\nthe native platform store after the application switches that same handle to\ncustom CA material for a later transfer.","aliases":["CVE-2026-11564"],"modified":"2026-06-24T14:05:44.935409Z","published":"2026-06-24T08:00:00Z","database_specific":{"severity":"Low","www":"https://curl.se/docs/CVE-2026-11564.html","issue":"https://hackerone.com/reports/3788984","affects":"lib","CWE":{"id":"CWE-295","desc":"Improper Certificate Validation"},"last_affected":"8.20.0","package":"curl","URL":"https://curl.se/docs/CVE-2026-11564.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.17.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"eefd03c572996e5de4dec4fe295ad6f103e0eefc"},{"fixed":"d69bfad3fa3daf5e72331f6870667607828d5891"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","rc-8_21_0-1","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2026-11564.json","vanir_signatures":[{"signature_type":"Line","id":"CURL-CVE-2026-11564-24e02116","target":{"file":"lib/doh.c"},"signature_version":"v1","digest":{"line_hashes":["302775823278107257376010104080087955513","97617786226625773204756887854767609273","323994837270150557893228277911646965977","124352082369572260332869994101778297790"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891"},{"signature_type":"Line","id":"CURL-CVE-2026-11564-5f0d3993","target":{"file":"lib/setopt.c"},"signature_version":"v1","digest":{"line_hashes":["23217085955828986166768215621606310863","308165344137762387752727279928685738450","6075924892823319252564576225283047149","36372276612001804071468005033279715052","243204596506456288681215357517799598213","126332111562982119894149435628780509019","205865318814149707476450480998634856703","252775927087418991579797964353814789966","67108505919061543761756659910617077704","209536936518143652635420974039466573757","162005562450787528482188643409929309684","302002523251660536530136067384603093198","308482075297322339167175923341257550928","233485150746860250736556601815041573352","298630953154758751552465245482003218203","35002392999829780323496408092320269884","304025561121675738817870550359852542086","90320436928761878358749542385342171234","155894444090082474991458118076836598998","339003768618514751803182703081944578192","31109148258097687901942967586384396080","205594225943540937968229580456377089752","85279513998772090686058037826502092365","268199957510615090081478220151847360925","2929703125878374716161777542937086173","213440804600212180817942617287987490141"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891"},{"signature_type":"Function","id":"CURL-CVE-2026-11564-6bb6da89","target":{"function":"Curl_ssl_easy_config_complete","file":"lib/vtls/vtls_config.c"},"signature_version":"v1","digest":{"length":4989,"function_hash":"21443433544174325038658804853537595721"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891"},{"signature_type":"Function","id":"CURL-CVE-2026-11564-6d85ea71","target":{"function":"doh_probe_run","file":"lib/doh.c"},"signature_version":"v1","digest":{"length":4063,"function_hash":"71063295310151775568400902582687714843"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891"},{"signature_type":"Function","id":"CURL-CVE-2026-11564-8382c086","target":{"function":"set_ssl_options","file":"lib/setopt.c"},"signature_version":"v1","digest":{"length":609,"function_hash":"332182566022961669311125906850697230454"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891"},{"signature_type":"Line","id":"CURL-CVE-2026-11564-e26f3f84","target":{"file":"lib/vtls/vtls_config.c"},"signature_version":"v1","digest":{"line_hashes":["72057766608019469650510981456286347713","239067064457248876313593037751839513770","196047359891183468016751644562362555385","137901476388031373544883218275547852614","151961004584591032126766202014258376036","142116908870379683503844951768374506065","322261561874347822703967645276417060350","256454111575766625853564110941242583516","302504703814018605226675339317784980340","132406900461261314861506075072761182303"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891"},{"signature_type":"Function","id":"CURL-CVE-2026-11564-fbb5c288","target":{"function":"setopt_long_ssl","file":"lib/setopt.c"},"signature_version":"v1","digest":{"length":1370,"function_hash":"26599435492158053357627362200812826547"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/d69bfad3fa3daf5e72331f6870667607828d5891"}],"vanir_signatures_modified":"2026-06-24T14:05:44Z"}}],"schema_version":"1.7.5","credits":[{"name":"Filipe Casal of Trail of Bits in collaboration with OpenAI","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}