Description
A vulnerability exists where a new transfer that uses STARTTLS to upgrade the
connection might reuse an existing live connection even though the TLS
configuration mismatches so it should not.
Published: 2026-07-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A client using libcurl may initiate a transfer that upgrades the connection to STARTTLS, but the library can incorrectly reuse an existing live connection even though the TLS configuration mismatches. This flaw allows the upgraded session to be handled over an insecure or incorrectly configured channel, exposing transmitted data and enabling a malicious party to tamper with traffic. The flaw arises from insufficient validation of the TLS state before reusing a connection.

Affected Systems

This vulnerability affects the curl library, specifically libcurl used by applications that perform STARTTLS operations. No specific version ranges are listed in the advisory, implying any build that implements STARTTLS via libcurl could be susceptible. The CNA identified the product as curl:curl, meaning that operators of software relying on libcurl should examine the version in use.

Risk and Exploitability

The formal CVSS score is not provided and the EPSS index is unavailable, and the issue is not listed in CISA KEV, so the exact likelihood of exploitation is not quantified. However, because the flaw allows a connection that does not meet TLS requirements to be reused, an adversary who can influence the server side or control the network path could potentially intercept or tamper with traffic that is presumed protected by STARTTLS. The impact involves loss of confidentiality and integrity; the available data does not indicate whether authentication or authorization are affected.

Generated by OpenCVE AI on July 3, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libcurl to a version that fixes the STARTTLS connection reuse bug.
  • Where possible, configure applications to disable connection reuse for STARTTLS upgrades or enforce explicit TLS checks.
  • Monitor network traffic for unexpected non‑encrypted data following a STARTTLS command and alert if anomalies occur.

Generated by OpenCVE AI on July 3, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8487-1 curl vulnerabilities
History

Fri, 03 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-311

Fri, 03 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-311

Fri, 03 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl curl
Vendors & Products Curl
Curl curl

Fri, 03 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
Title wrong STARTTLS connection reuse
References

cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published:

Updated: 2026-07-03T06:14:17.541Z

Reserved: 2026-05-11T07:06:37.906Z

Link: CVE-2026-8286

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T20:45:16Z

Weaknesses

No weakness.