<Vulnerability name="CVE-2026-9545">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-03T06:17:55</PublicDate>
    <Bugzilla id="2496756" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496756" xml:lang="en:us">
libcurl: libcurl: Information disclosure via cached SSL session and early data
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-295</CWE>
    <Details xml:lang="en:us" source="Mitre">
In this scenario, libcurl first uses a proper HTTP/3 server for the initial
transfers, and when it makes a second transfer to the same site it has been
replaced by the attacker's impostor machine - without a valid certificate.

When libcurl returns to the hostname the second time with a cached SSL session
(`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the
`CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might
send off the second request's bytes on that new connection *before* enforcing
the certificate verification failure. Potentially leaking sensitive
information.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in libcurl. An attacker can exploit this by replacing a legitimate HTTP/3 server with an impostor machine. When libcurl attempts a second transfer to the same site with a cached SSL session and early data enabled, it may send sensitive request data before verifying the server's certificate. This could lead to the disclosure of sensitive information to the attacker.
    </Details>
    <Statement xml:lang="en:us">
This Moderate impact information disclosure flaw in libcurl arises when an application uses HTTP/3 with both SSL session caching and early data enabled. An attacker could exploit this by impersonating a legitimate server, leading to sensitive data being sent before certificate verification fails. This scenario requires specific libcurl configurations that may not be enabled by default in all Red Hat products.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>dotnet8.0</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_core_services:1">
        <ProductName>Red Hat JBoss Core Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libcurl-1.dll</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_core_services:1">
        <ProductName>Red Hat JBoss Core Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libcurl.so</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-9545
https://nvd.nist.gov/vuln/detail/CVE-2026-9545
https://curl.se/docs/CVE-2026-9545.html
https://curl.se/docs/CVE-2026-9545.json
https://hackerone.com/reports/3752888
    </References>
</Vulnerability>