[UPDATE] [medium] cURL: Multiple vulnerabilities
An attacker can exploit multiple vulnerabilities in cURL to bypass security measures, disclose confidential information, or cause a denial-of-service condition or memory corruption.
CSIRTS triage
- What
- Multiple vulnerabilities allow an attacker to bypass security measures, disclose information, or cause denial-of-service or memory corruption.
- Who is affected
- Deployments of cURL are affected.
- Urgency
- Remediation is important to prevent potential exploitation of these vulnerabilities.
- Action
- Update cURL to the latest version.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch cURL
Get an email when a new cURL advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2052
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-105360.89% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 55% of all scored CVEs.
- Moderate exploitation riskCVE-2026-113521.0% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 59% of all scored CVEs.
- Low exploitation riskCVE-2026-115640.61% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 45% of all scored CVEs.
- Low exploitation riskCVE-2026-115860.86% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 54% of all scored CVEs.
- Moderate exploitation riskCVE-2026-118561.1% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 61% of all scored CVEs.
- Low exploitation riskCVE-2026-120640.57% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 43% of all scored CVEs.
- Low exploitation riskCVE-2026-90800.49% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 39% of all scored CVEs.
- Low exploitation riskCVE-2026-95450.41% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all scored CVEs.
- Low exploitation riskCVE-2026-95460.65% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 47% of all scored CVEs.
- Low exploitation riskCVE-2026-95470.51% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 40% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-10536 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-11352 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-11564 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-11586 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-11856 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-12064 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-9080 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-9545 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-9546 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-9547 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- unknownUSN-8525-1: curl vulnerabilitiesubuntu
- highCVE-2026-9547: When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the …nvd
- highCVE-2026-9546: A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cl…nvd
- highCVE-2026-9545: In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when…nvd
- highCVE-2026-9080: Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers …nvd
- highCVE-2026-12064: When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp),…nvd
- criticalCVE-2026-11856: Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest*…nvd
- highCVE-2026-11586: By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper …nvd
- criticalCVE-2026-11564: libcurl keeps previously used connections in a connection pool for subsequent transfers to reu…nvd
- highCVE-2026-11352: An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a rem…nvd
- criticalCVE-2026-10536: A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stre…nvd
- lowCVE-2026-9080: UAF after pause in socket callbackmsrc
Recent advisories for cURL
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- high[UPDATE] [high] cURL: Multiple vulnerabilitiescert-bund · 2026-07-10
- medium[UPDATE] [medium] cURL: Vulnerability allows information disclosurecert-bund · 2026-07-10
- medium[UPDATE] [medium] cURL: Vulnerability allows bypassing security measurescert-bund · 2026-07-10
- unknownUSN-8525-1: curl vulnerabilitiesubuntu · 2026-07-09
- medium[UPDATE] [medium] cURL: Multiple vulnerabilitiescert-bund · 2026-07-03
- highCVE-2026-9080: Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers …nvd · 2026-07-03
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10