CVE-2024-8096

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

Published: Sep 11, 2024
Updated: Jul 31, 2025
CVE: CVE-2024-8096
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
haxx / curl	7.41.0	8.10.0
debian / debian_linux	11.0	11.0.x
netapp / ontap_tools	10	10.x

http://www.openwall.com/lists/oss-security/2024/09/11/1
https://curl.se/docs/CVE-2024-8096.html
https://curl.se/docs/CVE-2024-8096.json
https://hackerone.com/reports/2669852
https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html
https://security.netapp.com/advisory/ntap-20241011-0005/

Vulnerability Database

CVE-2024-8096