Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-11564

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

View on NVD

Analysis

libcurl has a critical vulnerability in its connection pooling logic. An application that switches a handle from default system CAs to a custom certificate authority may continue to trust the system store for subsequent transfers. This can lead to unexpected trust in certificates and potential man-in-the-middle risks in environments requiring strict certificate pinning or private CAs.

Relevant roles

BackendCyberSecurityLinuxCC++Php

Severity

Score: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE

EPSS

Probability of exploitation (next 30 days): 0.0020 (0.2%)
Percentile: 9.5%
EPSS: 2026-07-06

Technical description

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

Published: 7/3/2026, 7:16:23 AM
Last modified: 7/6/2026, 6:20:47 PM

References

HomeEventsBlogResourcesTeam