curl: GnuTLS OCSP stapling accepts unrelated SingleResponse (no cert-ID binding)

Summary This report describes a variant of the publicly disclosed curl vulnerability CVE-2020-8286 OCSP stapling verification bypass, found in the GnuTLS TLS backend lib/vtls/gtls.c. The original CVE affected the NSS backend; this variant reproduces the same logical class of defect — accepting...

CVE-2026-42791

Summary: CVE-2026-42791 is an improper certificate validation weakness in Erlang OTP’s public_key/pubkey_ocsp module. OCSP response verification (pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3) fails to enforce the validity period (notBefore/notAfter) of the OCSP responde...

Erlang/OTP -- OCSP responder certificate accepted after expiry in public_key

https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff reports: Erlang/OTP's publickey application fails to validate the validity period of OCSP responder certificates during response verification. An attacker possessing an expired OCSP responder's private key can forge responses...

Astra Linux - уязвимость в curl

When curl is instructed to use the Certificate Status Request TLS extension, also known as OCSP stapling, to verify that the server certificate is valid, it may fail to detect certain OCSP issues and instead incorrectly consider the response to be fine. If the returned status reports an error oth...

Incorrect Behavior Order: Early Validation

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Early Validation in the OCSP stapling process. An attacker can cause a client to accept a revoked server certificate by presenting a specially crafted multi-record OCSP response during a TLS handshake...

curl: CVE-2026-7009: OCSP stapling bypass with Apple SecTrust

Summary When curl is built with --with-apple-sectrust or -DUSEAPPLESECTRUST=ON and OpenSSL, the --cert-status / CURLOPTSSLVERIFYSTATUS option is silently bypassed when Apple SecTrust handles certificate chain verification instead of OpenSSL. The user explicitly requests OCSP stapling enforcement,...

CVE-2026-32144

Improper Certificate Validation vulnerability in Erlang OTP publickey pubkeyocsp module allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in publickey:pkixocspvalidate/5 does not verify that a CA-designated responder certificate...

CVE-2026-32144

The CVE affects Erlang OTP’s public_key OCSP validation path (pubkey_ocsp module, pkix_ocsp_validate/5) where OCSP responder verification omits cryptographic signature validation of CA-designated responders. Instead, it only checks issuer name matching and OCSPSigning EKU, enabling a maliciously ...

Siemens SIMATIC and SCALANCE Improper Certificate Validation (CVE-2024-8096)

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error tha...

EUVD-2011-0040

Malware in sbrugna...

EulerOS Virtualization 2.12.1 : curl (EulerOS-SA-2025-1552)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server...

EulerOS Virtualization 2.12.0 : curl (EulerOS-SA-2025-1568)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server...

Azure Linux 3.0 Security Update: curl (CVE-2024-0853)

The version of curl installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-0853 advisory. - curl inadvertently kept the SSL session ID for connections in its cache even when the verify status OCSP stapli...

EulerOS 2.0 SP11 : curl (EulerOS-SA-2024-2978)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-2948)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-2933)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP12 : curl (EulerOS-SA-2024-2948)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is...

EulerOS 2.0 SP12 : curl (EulerOS-SA-2024-2933)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-2978)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-2964)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...