CVE-2024-8096 [Medium] | Security Bypass in Curl

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-23	0.52%	0.56%	+0.04%
2	2026-03-04	0.41%	0.52%	+0.10%
3	2026-03-01	—	0.41%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-23

0.52%

0.56%

+0.04%

2026-03-04

0.41%

0.52%

+0.10%

2026-03-01

—

0.41%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.5	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	3.9	2.5	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.5

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

3.9

2.5

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2024-8096

vendor	priority	summary	link
`alpine`	—	CVE-2024-8096: 1 source package rows (curl); 225 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 6, open 219.	https://security.alpinelinux.org/vuln/CVE-2024-8096
`debian`	not yet assigned	CVE-2024-8096 not yet assigned priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2024-8096
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2024-8096
`suse`	medium	CVE-2024-8096 severity moderate: SUSE including 390 source package names (0.0.17-1.1:curl-8.6.0-150600.4.6.1, 0.0.17-1.1:libcurl4-8.6.0-150600.4.6.1, …), 992 product×package rows across 345 product lines (Container bci/gcc, Container bci/golang, … (345 product lines)): Fixed 772, Known Affected 213, Known Not Affected 6, First Fixed 1.	https://www.suse.com/security/cve/CVE-2024-8096/
`ubuntu`	medium	CVE-2024-8096 medium priority: Ubuntu including 1 source packages (curl), 10 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): released 7, needs-triage 3.	https://ubuntu.com/security/CVE-2024-8096

Affected software / configurations for CVE-2024-8096

Vendor	Product	Version	Raw CPE
haxx	curl	>= 7.41.0, < 8.10.0	cpe:2.3:a:haxx:curl::::::::
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*
netapp	active_iq_unified_manager	—	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
netapp	ontap_select_deploy_administration_utility	—	cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
netapp	ontap_tools	10	cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::
netapp	bootstrap_os	—	cpe:2.3:o:netapp:bootstrap_os:-:::::::*
netapp	h300s_firmware	—	cpe:2.3:o:netapp:h300s_firmware:-:::::::*
netapp	h410s_firmware	—	cpe:2.3:o:netapp:h410s_firmware:-:::::::*
netapp	h500s_firmware	—	cpe:2.3:o:netapp:h500s_firmware:-:::::::*
netapp	h700s_firmware	—	cpe:2.3:o:netapp:h700s_firmware:-:::::::*

References for CVE-2024-8096

URL	Tags
https://curl.se/docs/CVE-2024-8096.html	Vendor Advisory
https://curl.se/docs/CVE-2024-8096.json	Vendor Advisory
https://hackerone.com/reports/2669852	Exploit Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/09/11/1	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20241011-0005/	Third Party Advisory

URL

CVE-2024-8096 | OCSP stapling bypass with GnuTLS

Public exploit references (Exploit-DB) for CVE-2024-8096

Exploit prediction scoring system (EPSS) score for CVE-2024-8096

Common vulnerability scoring system (CVSS) metrics for CVE-2024-8096

Weakness enumeration for CVE-2024-8096

OS Trackers for CVE-2024-8096

Affected software / configurations for CVE-2024-8096

References for CVE-2024-8096