{"id":"CURL-CVE-2026-9545","summary":"exposing HTTP/3 early data","details":"In this scenario, libcurl first uses a proper HTTP/3 server for the initial\ntransfers, and when it makes a second transfer to the same site it has been\nreplaced by the attacker's impostor machine - without a valid certificate.\n\nWhen libcurl returns to the hostname the second time with a cached SSL session\n(`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the\n`CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might\nsend off the second request's bytes on that new connection *before* enforcing\nthe certificate verification failure. Potentially leaking sensitive\ninformation.","aliases":["CVE-2026-9545"],"modified":"2026-06-24T08:07:08.355546Z","published":"2026-06-24T08:00:00Z","database_specific":{"last_affected":"8.20.0","issue":"https://hackerone.com/reports/3752888","affects":"both","www":"https://curl.se/docs/CVE-2026-9545.html","URL":"https://curl.se/docs/CVE-2026-9545.json","package":"curl","CWE":{"id":"CWE-200","desc":"Exposure of Sensitive Information to an Unauthorized Actor"},"severity":"Low"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.11.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"962097b8dd44ed5b9e7984bc1cdffdbdd566857f"},{"fixed":"7b9613fa9b1a5e04301a3920eef58e8138dad05e"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0","curl-8_14_1","curl-8_14_0","curl-8_13_0","curl-8_12_1","curl-8_12_0","curl-8_11_1","curl-8_11_0"],"database_specific":{"vanir_signatures":[{"id":"CURL-CVE-2026-9545-0d23da02","target":{"function":"cf_ngtcp2_handshake_completed","file":"lib/vquic/curl_ngtcp2.c"},"source":"https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e","deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"153317582380559109273442960860016262309","length":1860}},{"id":"CURL-CVE-2026-9545-54b362b4","target":{"file":"lib/vquic/curl_ngtcp2.c"},"source":"https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e","deprecated":false,"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["57837649208692003109394932325481589562","148897155669795626335640653234286619658","9221967505252324245084890594736647812","229339314465024621466349949698476012120","316992347216962730835430776133092520281","138701791296620101350765089525540312140","296327085920196481168568880711169351555","5354081226792327714123399886029077496","60630981963415792295832576530337112547","123864576250417216190818910419145918435","142835053885326796857721237189839522787","192948789493812143984840421097894964353","280733359488708788015184071526492175907","111945068324397344898130947918406342943","315163984305334991863463999532320024294","61010276926023090237519678734162290207","49355929218012117922133473512437199901","7905145105583230885624546070173304809","57003410938242733606680334162856661189","299257298584114877497706458750155152547"]}},{"id":"CURL-CVE-2026-9545-837feabc","target":{"function":"cf_ngtcp2_recv","file":"lib/vquic/curl_ngtcp2.c"},"source":"https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e","deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"225529865282307993815272211670638534898","length":1412}},{"id":"CURL-CVE-2026-9545-8e6fa72c","target":{"function":"cf_ngtcp2_send","file":"lib/vquic/curl_ngtcp2.c"},"source":"https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e","deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"126594513254768600204067746099346311735","length":2382}},{"id":"CURL-CVE-2026-9545-d0afa7aa","target":{"function":"cf_ngtcp2_connect","file":"lib/vquic/curl_ngtcp2.c"},"source":"https://github.com/curl/curl.git/commit/7b9613fa9b1a5e04301a3920eef58e8138dad05e","deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"116844867287374578722968671244621372900","length":2392}}],"source":"https://curl.se/docs/CURL-CVE-2026-9545.json","vanir_signatures_modified":"2026-06-24T08:07:08Z"}}],"schema_version":"1.7.5","credits":[{"name":"Eunsoo Kim (Autonomous Code Security team at Microsoft)","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}