無料スキャン
分析待ちCVE-2026-5545

CVE-2026-5545: Connection Reuse Vulnerability in libcurl

プラットフォーム

c

コンポーネント

curl

修正版

8.19.1

NVDで見る
保存

CVE-2026-5545 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability stems from a logical error in connection reuse logic, potentially allowing an attacker to exploit a connection authenticated with different credentials. Successful exploitation could lead to unauthorized access to resources and data. A fix is available in version 8.19.1.

影響と攻撃シナリオ翻訳中…

The core of the vulnerability lies in libcurl's connection pooling mechanism. When an application makes authenticated HTTP(S) requests, libcurl attempts to reuse existing connections to improve performance. However, under specific circumstances involving Negotiate authentication, the code incorrectly reuses a connection authenticated with different credentials. This means an attacker could potentially hijack a connection previously used by a legitimate user, gaining access to resources they shouldn't have. The impact is particularly severe in environments where sensitive data is transmitted over HTTP(S), such as financial transactions or access to private APIs. While the description doesn't explicitly mention it, a successful exploit could lead to session hijacking and unauthorized data modification.

悪用の状況翻訳中…

CVE-2026-5545 was published on May 13, 2026. Its severity is pending evaluation. Currently, there are no publicly known Proof-of-Concept (POC) exploits. It is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS. Given the nature of the vulnerability – improper connection reuse – it's plausible that attackers could develop exploits targeting applications that rely heavily on libcurl for HTTP(S) communication.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO

EPSS

0.04% (13% パーセンタイル)

影響を受けるソフトウェア

コンポーネントcurl
ベンダーcurl
最小バージョン8.12.0
最大バージョン8.19.0
修正版8.19.1

弱点分類 (CWE)

CWE-305

タイムライン

  1. 予約済み
  2. 公開日
  3. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-5545 is to upgrade to libcurl version 8.19.1 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. One potential workaround is to disable connection reuse entirely, although this will negatively impact performance. Another approach is to carefully review application code to ensure that authentication credentials are properly managed and that connections are not inadvertently reused across different authentication contexts. Monitor libcurl logs for unusual connection activity. After upgrading, confirm the fix by performing authenticated HTTP(S) requests and verifying that connections are not being reused improperly.

修正方法翻訳中…

Actualice a la versión 8.19.1 o posterior para evitar la reutilización incorrecta de conexiones HTTP Negotiate. Esta vulnerabilidad permite que un atacante potencialmente robe credenciales al reutilizar conexiones autenticadas incorrectamente.  Verifique las fuentes oficiales de libcurl para obtener instrucciones de actualización específicas para su sistema operativo.

よくある質問翻訳中…

What is CVE-2026-5545 — Connection Reuse Vulnerability in libcurl?

CVE-2026-5545 is a vulnerability in libcurl versions 8.12.0–8.19.0 that allows unauthorized connection reuse in HTTP(S) requests after Negotiate authentication, potentially exposing sensitive data.

Am I affected by CVE-2026-5545 in libcurl?

If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected. Check your libcurl version using curl --version.

How do I fix CVE-2026-5545 in libcurl?

Upgrade to libcurl version 8.19.1 or later to resolve this vulnerability. If upgrading is not possible immediately, consider temporary workarounds like disabling connection reuse.

Is CVE-2026-5545 being actively exploited?

Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-5545, but it's crucial to apply the fix proactively.

Where can I find the official libcurl advisory for CVE-2026-5545?

Refer to the libcurl project's security announcements for the official advisory: https://curl.se/security/

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...