Connection Pooling Vulnerability in libcurl by curl
CVE-2026-11564

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-11564?

The libcurl library maintains a pool of previously used connections to optimize performance for subsequent data transfers. This connection pooling mechanism presents a potential security risk, as an application that initially uses the default native CA trust settings may inadvertently continue trusting the native platform store even after switching to a custom CA material for later transfers. This unintended behavior could expose the application to various security threats if not managed properly. Developers are advised to review their use of libcurl and ensure that CA settings are correctly applied during transitions in data transfer.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Filipe Casal of Trail of Bits in collaboration with OpenAI
Stefan Eissing
.