Vulnerability
curl/libcurl: not verifying certs for TLS to IP address / Schannel
When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature (whether it was signed by a trusted CA) and validity (whether the date was within the certificate's lifetime and it was not revoked) verification was still performed. This is a problem in libcurl built to use the Schannel TLS backend. Schannel is the native library provided by Microsoft Windows. Only users on Windows can be affected by this, and only if libcurl was built to use the native TLS backend library.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
Low exploitation likelihood — defer if no other signals fire.
No VEX statements published for CVE-2014-2522. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.
No exploitation, limited impact or prevalence