From d6571f7a701bbdde4314a70612fa342d5d243a07 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 14 May 2026 23:23:08 +0200
Subject: [PATCH] setopt: more careful cleanup of the HSTS cache

Reported-by: Joshua Rogers
Closes #21615
---
 lib/setopt.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/setopt.c b/lib/setopt.c
index 0fc5ec7e87..2bc49868b8 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -1280,8 +1280,16 @@ static CURLcode setopt_long_misc(struct Curl_easy *data, CURLoption option,
           return CURLE_OUT_OF_MEMORY;
       }
     }
-    else
+    else if(!data->share || !data->share->hsts) {
+      /* throw away the HSTS cache unless shared */
       Curl_hsts_cleanup(&data->hsts);
+      /* flush all the entries */
+      curl_slist_free_all(data->state.hstslist);
+      data->state.hstslist = NULL;
+    }
+    else
+      /* detach from shared HSTS cache without freeing it */
+      data->hsts = NULL;
     break;
 #endif
 #ifndef CURL_DISABLE_ALTSVC