High severity7.5NVD Advisory· Published Aug 10, 2016· Updated May 6, 2026

CVE-2016-5420

Description

curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

Affected products

Haxx/Libcurl
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
Range: <=7.50.0
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
OpenSUSE/Leap
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

curl.haxx.se/docs/adv_20160803B.htmlnvdMitigationPatchVendor Advisory
lists.opensuse.org/opensuse-updates/2016-09/msg00094.htmlnvdThird Party Advisory
www.debian.org/security/2016/dsa-3638nvdThird Party Advisory
lists.opensuse.org/opensuse-updates/2016-09/msg00011.htmlnvd
rhn.redhat.com/errata/RHSA-2016-2575.htmlnvd
rhn.redhat.com/errata/RHSA-2016-2957.htmlnvd
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlnvd
www.securityfocus.com/bid/92309nvd
www.securitytracker.com/id/1036537nvd
www.securitytracker.com/id/1036739nvd
www.slackware.com/security/viewer.phpnvd
www.ubuntu.com/usn/USN-3048-1nvd
access.redhat.com/errata/RHSA-2018:3558nvd
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/nvd
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/nvd
security.gentoo.org/glsa/201701-47nvd
source.android.com/security/bulletin/2016-12-01.htmlnvd
www.tenable.com/security/tns-2016-18nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000