A critical security flaw lurking in curl for over 25 years has been patched, as part of a record-breaking security release that fixed 18 CVEs, the most ever issued in a single curl version. The vulnerability, CVE-2026-8932, was first shipped in curl version 7.7 on March 22, 2001, making it the oldest curl security issue ever reported.
The release, announced by maintainer Daniel Stenberg on June 24, 2026, marks the most vulnerabilities fixed in a single curl release.
curl is not just a command-line tool; it is foundational infrastructure. Running on more than 30 billion devices, it powers data transfers across operating systems, containers, CI/CD pipelines, package managers, SDKs, and automotive systems.
The vast majority of users never interact with curl directly but instead rely on libcurl, the embedded engine in countless products, making vulnerabilities in this library especially dangerous and difficult to trace.
The wave of discoveries began on May 11, 2026, when curl founder and lead developer Daniel Stenberg announced that Anthropic’s Mythos AI model had identified a single CVE in curl.
That disclosure triggered an unprecedented flood of security reports targeting the curl project. When the dust settled, 18 CVEs had been issued for the curl 8.21.0 release, a record high for any single curl version.
AISLE, an AI-powered, model-agnostic security platform, claimed 6 of the 18 CVEs, plus additional valid findings across curl and libcurl. The next-closest AI-powered organization received 3 CVEs, while researchers using Anthropic and OpenAI models found 1 each.
All six vulnerabilities were responsibly disclosed and patched in the June 24, 2026, release of curl 8.21.0:
| CVE | Area | Impact |
|---|---|---|
| CVE-2026-8926 | .netrc credential handling | Credential confusion wrong user’s password selected for the same host |
| CVE-2026-8925 | SASL authentication | Double-free of GSASL context in SASL protocol flows |
| CVE-2026-8932 | mTLS connection reuse | Authentication bypass — connection reused after client cert changes (25+ year-old flaw) |
| CVE-2026-9080 | Multi socket callback | Use-after-free when curl_easy_pause() called inside socket callback |
| CVE-2026-9547 | SSH host validation | Improper host validation — rejected server key types accepted via libssh backend |
| CVE-2026-10536 | HTTP/2 stream dependencies | Use-after-free when resetting and cleaning up HTTP/2 dependency handles |
Beyond CVEs, AISLE also disclosed three additional memory safety issues, including a heap out-of-bounds read in urlapi and use-after-free/double-free bugs in HSTS handling, all reported via HackerOne.
Notably, several of these vulnerabilities exclusively affect libcurl, not the curl command-line tool itself. This means they exist deep inside embedded products where end users have no visibility and no direct ability to patch them.
Attack surfaces are reachable through application behavior, making these findings especially significant for enterprise and IoT environments.
| CVE | Severity | Description |
|---|---|---|
| CVE-2026-8925 | Medium | SASL double-free leading to memory corruption or crashes |
| CVE-2026-8927 | Medium | Cross-proxy Digest auth state leak |
| CVE-2026-9079 | Medium | Stale proxy password leak |
| CVE-2026-11856 | Medium | Cross-origin Digest auth state leak |
| CVE-2026-8286 | Low | Wrong STARTTLS connection reuse |
| CVE-2026-8458 | Low | Wrong connection reuse for different services |
| CVE-2026-8924 | Low | Trailing dot domain super cookie |
| CVE-2026-8926 | Low | Password leak with netrc and user in URL |
| CVE-2026-8932 | Low | Incomplete mTLS config matching in connection reuse |
| CVE-2026-9080 | Low | Use-after-free after pause in socket callback |
| CVE-2026-9545 | Low | HTTP/3 early data exposure |
| CVE-2026-9546 | Low | Old referer data disclosure |
| CVE-2026-9547 | Low | SSH improper host validation |
| CVE-2026-10536 | Low | HTTP/2 stream-dependency tree use-after-free |
| CVE-2026-11352 | Low | QUIC zero-length UDP datagrams busy-loop |
| CVE-2026-11564 | Low | Native CA trust persistence issue |
| CVE-2026-11586 | Low | WebSocket Auto-PONG memory exhaustion |
| CVE-2026-12064 | Low | SSH verification skipped by proto-default |
Beyond security fixes, curl 8.21.0 introduces a limited set of new features, given the heavy focus on vulnerability remediation during this cycle.
Key additions include support for named globs in file uploads and enhanced HTTP/3 proxy capabilities using CONNECT and MASQUE CONNECT-UDP.
The release also removes deprecated features such as HTTP/2 stream dependency tracking and CURLAUTH_DIGEST_IE support, aligning the project with modern protocol practices.
Developers are also warned about upcoming removals, including NTLM, SMB, TLS-SRP, and local crypto implementations.
In total, the release includes 276 bug fixes and over 500 commits contributed by more than 100 developers, reflecting the scale of ongoing maintenance and security efforts.
Security teams and developers are strongly advised to upgrade to curl 8.21.0 immediately, especially in environments relying on authentication mechanisms, proxy configurations, or HTTP/2 and HTTP/3 features.
Windows Secure Boot Certificates to Expire – What IT Teams Should Do Before the Deadline.
