High severity7.5NVD Advisory· Published Jun 2, 2022· Updated Apr 16, 2026

CVE-2022-27782

Description

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

Affected products

Haxx/Curl
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Range: <7.83.1
Splunk/Universal Forwarder2 versions
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*range: >=8.2.0,<8.2.12
- cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Patches

462196e6b4a4

https://github.com/curl/curlvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

hackerone.com/reports/1555796nvdExploitThird Party Advisory
lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlnvdMailing ListThird Party Advisory
security.gentoo.org/glsa/202212-01nvdThird Party Advisory
security.netapp.com/advisory/ntap-20220609-0009/nvdThird Party Advisory
www.debian.org/security/2022/dsa-5197nvdMailing ListThird Party Advisory
www.openwall.com/lists/oss-security/2023/03/20/6nvdMailing List

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000