Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11564

CVE-2026-11564: Haxx Curl Information Disclosure Flaw

CVE-2026-11564 is an information disclosure vulnerability in Haxx Curl's libcurl that affects CA trust handling in connection pooling. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-11564 Overview

CVE-2026-11564 is a certificate validation flaw [CWE-295] in libcurl, the widely deployed HTTP client library maintained by Haxx. The vulnerability affects how libcurl reuses pooled connections when an application changes the certificate authority (CA) trust configuration on an easy handle between transfers. An easy handle that first uses the default native CA trust store can continue to trust that native platform store after the application switches the same handle to custom CA material for a later transfer. Attackers positioned on the network path can leverage this behavior to present certificates signed by CAs that the application intended to distrust.

Critical Impact

Applications enforcing pinned or custom CA trust may unknowingly accept certificates validated against the platform CA store, enabling machine-in-the-middle interception of encrypted traffic.

Affected Products

  • Haxx curl (libcurl)
  • Applications linking against affected libcurl versions that switch CA sources on a reused easy handle
  • Downstream distributions bundling vulnerable libcurl builds

Discovery Timeline

  • 2026-07-03 - CVE-2026-11564 published to the National Vulnerability Database
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-11564

Vulnerability Analysis

libcurl maintains a connection pool so that subsequent transfers can reuse existing TLS sessions when the connection parameters match. The reuse logic determines whether a pooled connection is compatible with the current transfer setup. This check fails to fully account for a mid-lifecycle change in the CA trust source associated with an easy handle.

When an application first performs a transfer using the operating system's native CA store, libcurl caches the resulting authenticated connection. If the application later reconfigures the same handle to trust only custom CA material, such as a pinned bundle or file, libcurl can still return the previously validated connection. The pooled connection was authenticated against the platform store, not the custom CA the caller now requires. The result is a certificate validation bypass for the second transfer.

The issue carries network attack vector and impacts confidentiality and integrity, since intercepted TLS sessions expose transmitted data and allow response tampering.

Root Cause

The root cause is an incomplete connection reuse comparison. libcurl treats the pooled connection as matching the new setup even though the CA source used to authenticate the peer no longer aligns with the caller's tightened trust configuration. The bug maps to CWE-295: Improper Certificate Validation.

Attack Vector

Exploitation requires an attacker capable of presenting a TLS certificate to the victim client through a network position, such as a rogue Wi-Fi access point, compromised upstream router, or DNS hijack. The attacker's certificate must chain to a CA present in the platform trust store. If the target application relied on switching to custom CA material to reject platform-trusted issuers, the reused connection defeats that protection. No user interaction or authentication is required.

No verified exploitation code is currently published for this issue. Refer to the cURL Vulnerability Advisory and HackerOne Report #3788984 for authoritative technical details.

Detection Methods for CVE-2026-11564

Indicators of Compromise

  • Unexpected TLS handshakes to backend endpoints presenting certificates issued by CAs outside the application's declared custom CA bundle.
  • Application logs showing successful transfers after a CURLOPT_CAINFO or CURLOPT_CAPATH change, without a new handshake being observed on the wire.
  • Network telemetry indicating certificate issuers inconsistent with the pinned trust configuration for a given service.

Detection Strategies

  • Inventory processes linking libcurl and correlate loaded library versions against the fixed release listed in the vendor advisory.
  • Instrument applications to log the negotiated peer certificate chain per transfer and alert on chains not anchored to the intended custom CA.
  • Compare TLS session reuse events against configuration changes on the same easy handle to identify mismatched trust contexts.

Monitoring Recommendations

  • Monitor egress TLS traffic for certificate issuer anomalies against a baseline of expected CAs per destination.
  • Track deployment of libcurl updates across build pipelines, container images, and package repositories.
  • Review dependency manifests (SBOMs) for embedded libcurl versions in third-party and internally developed software.

How to Mitigate CVE-2026-11564

Immediate Actions Required

  • Upgrade libcurl to the fixed version identified in the cURL Vulnerability Advisory across all systems, containers, and build artifacts.
  • Audit application code paths that mutate CA settings (CURLOPT_CAINFO, CURLOPT_CAPATH, CURLOPT_SSL_CTX_FUNCTION) on reused easy handles.
  • Rotate or re-verify any credentials or tokens transmitted through affected clients during the exposure window.

Patch Information

The curl project has published a security advisory with fixed release information at curl.se/docs/CVE-2026-11564.html. Machine-readable metadata is available in the cURL CVE-2026-11564 JSON document. Apply the corresponding vendor package update from your Linux distribution or rebuild statically linked binaries against the patched libcurl.

Workarounds

  • Use a fresh easy handle for each transfer that requires distinct CA trust material rather than reconfiguring an existing handle.
  • Call curl_easy_reset and clear the connection cache with CURLOPT_FRESH_CONNECT and CURLOPT_FORBID_REUSE when switching CA sources.
  • Segregate transfers with different trust requirements into separate multi handles or processes to prevent pool crossover.
bash
# Example: force a new connection when switching CA material on the same handle
curl_easy_setopt(handle, CURLOPT_CAINFO, "/etc/ssl/custom-ca.pem");
curl_easy_setopt(handle, CURLOPT_FRESH_CONNECT, 1L);
curl_easy_setopt(handle, CURLOPT_FORBID_REUSE, 1L);

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.