CVE-2026-11564

NameCVE-2026-11564
Descriptionlibcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u13fixed
bullseye (security)7.74.0-1.3+deb11u16fixed
bookworm7.88.1-10+deb12u15fixed
bookworm (security)7.88.1-10+deb12u5fixed
trixie8.14.1-2+deb13u4fixed
forky8.20.0-5vulnerable
sid8.21.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebullseye(not affected)
curlsourcebookworm(not affected)
curlsourcetrixie(not affected)
curlsource(unstable)8.21.0~rc2-1

Notes

[trixie] - curl <not-affected> (Vulnerable code not present)
[bookworm] - curl <not-affected> (Vulnerable code not present)
[bullseye] - curl <not-affected> (Vulnerable code not present)
https://curl.se/docs/CVE-2026-11564.html
Introduced with: https://github.com/curl/curl/commit/eefd03c572996e5de4dec4fe295ad6f103e0eefc (curl-8_17_0)
Fixed by: https://github.com/curl/curl/commit/d69bfad3fa3daf5e72331f6870667607828d5891 (rc-8_21_0-2, curl-8_21_0)

Search for package or bug name: Reporting problems