PT-2016-6417 · Curl+5 · Libcurl+6

Published

2016-08-03

·

Updated

2026-05-18

·

CVE-2016-5420

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions libcurl versions prior to 7.50.1 curl versions prior to 7.50.1
Description The issue arises when libcurl reuses established TLS connections for subsequent requests without properly checking the client certificate. This could allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. The problem occurs because libcurl keeps previous connections "alive" in a connection pool, which can lead to the wrong connection being reused for a subsequent request to the same server, potentially using the wrong client certificate or no certificate at all.
Recommendations For libcurl versions prior to 7.50.1, update to version 7.50.1 or later to resolve the issue. For curl versions prior to 7.50.1, update to version 7.50.1 or later to resolve the issue. As a temporary workaround, consider disabling the reuse of TLS connections until a patch is available.

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-305CWE-285

Related Identifiers

ALT-PU-2016-1895
CESA-2016_2575
CLEANSTART-2026-AY18527
CLEANSTART-2026-BW46578
CLEANSTART-2026-DI23929
CLEANSTART-2026-LQ42192
CLEANSTART-2026-OF85770
CVE-2016-5420
DLA-1568-1
DLA-586-1
DSA-3638-1
MGASA-2016-0285
RHSA-2016:2575
RHSA-2016_2575
RHSA-2018:3558
SUSE-SU-2016:2155-1
SUSE-SU-2016:2330-1
SUSE-SU-2016:2449-1
SUSE-SU-2016:2700-1
SUSE-SU-2017:2699-1
SUSE-SU-2017:2700-1
USN-3048-1

Affected Products

Alt Linux
Centos
Red Hat
Suse
Ubuntu
Curl
Libcurl