Native CA trust persist
Summary
| CVE | CVE-2026-11564 |
|---|---|
| State | PUBLISHED |
| Assigner | curl |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-03 07:16:23 UTC |
| Updated | 2026-07-03 07:16:23 UTC |
| Description | libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer. |
Risk And Classification
Problem Types: CWE-295 Improper Certificate Validation
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| curl.se/docs/CVE-2026-11564.json | 2499f714-1537-4658-8207-48ae4bb9eae9 | curl.se | |
| curl.se/docs/CVE-2026-11564.html | 2499f714-1537-4658-8207-48ae4bb9eae9 | curl.se | |
| hackerone.com/reports/3788984 | 2499f714-1537-4658-8207-48ae4bb9eae9 | hackerone.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Filipe Casal of Trail of Bits in collaboration with OpenAI (en)
CNA: Stefan Eissing (en)
There are currently no legacy QID mappings associated with this CVE.