CVE-2026-9545

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.

When libcurl returns to the hostname the second time with a cached SSL session (CURLOPT SSL SESSIONID CACHE is not disabled) and early data enabled (the CURLSSLOPT EARLYDATA bit is set in CURLOPT SSL OPTIONS), libcurl might send off the second request's bytes on that new connection before enforcing the certificate verification failure. Potentially leaking sensitive information.