25-Year-Old Vulnerability in cURL Used by 30 Billion Devices Finally Patched

A critical security flaw lurking in curl for over 25 years has been patched, as part of a record-breaking security release that fixed 18 CVEs, the most ever issued in a single curl version. The vulnerability, CVE-2026-8932, was first shipped in curl version 7.7 on March 22, 2001, making it the oldest curl security issue ever reported.

The release, announced by maintainer Daniel Stenberg on June 24, 2026, marks the most vulnerabilities fixed in a single curl release.

curl is not just a command-line tool; it is foundational infrastructure. Running on more than 30 billion devices, it powers data transfers across operating systems, containers, CI/CD pipelines, package managers, SDKs, and automotive systems.

The vast majority of users never interact with curl directly but instead rely on libcurl, the embedded engine in countless products, making vulnerabilities in this library especially dangerous and difficult to trace.

The wave of discoveries began on May 11, 2026, when curl founder and lead developer Daniel Stenberg announced that Anthropic’s Mythos AI model had identified a single CVE in curl.

That disclosure triggered an unprecedented flood of security reports targeting the curl project. When the dust settled, 18 CVEs had been issued for the curl 8.21.0 release, a record high for any single curl version.

AISLE, an AI-powered, model-agnostic security platform, claimed 6 of the 18 CVEs, plus additional valid findings across curl and libcurl. The next-closest AI-powered organization received 3 CVEs, while researchers using Anthropic and OpenAI models found 1 each.

All six vulnerabilities were responsibly disclosed and patched in the June 24, 2026, release of curl 8.21.0:

CVE	Area	Impact
CVE-2026-8926	.netrc credential handling	Credential confusion wrong user’s password selected for the same host
CVE-2026-8925	SASL authentication	Double-free of GSASL context in SASL protocol flows
CVE-2026-8932	mTLS connection reuse	Authentication bypass — connection reused after client cert changes (25+ year-old flaw)
CVE-2026-9080	Multi socket callback	Use-after-free when curl_easy_pause() called inside socket callback
CVE-2026-9547	SSH host validation	Improper host validation — rejected server key types accepted via libssh backend
CVE-2026-10536	HTTP/2 stream dependencies	Use-after-free when resetting and cleaning up HTTP/2 dependency handles

Beyond CVEs, AISLE also disclosed three additional memory safety issues, including a heap out-of-bounds read in urlapi and use-after-free/double-free bugs in HSTS handling, all reported via HackerOne.

Notably, several of these vulnerabilities exclusively affect libcurl, not the curl command-line tool itself. This means they exist deep inside embedded products where end users have no visibility and no direct ability to patch them.

Attack surfaces are reachable through application behavior, making these findings especially significant for enterprise and IoT environments.

CVE	Severity	Description
CVE-2026-8925	Medium	SASL double-free leading to memory corruption or crashes
CVE-2026-8927	Medium	Cross-proxy Digest auth state leak
CVE-2026-9079	Medium	Stale proxy password leak
CVE-2026-11856	Medium	Cross-origin Digest auth state leak
CVE-2026-8286	Low	Wrong STARTTLS connection reuse
CVE-2026-8458	Low	Wrong connection reuse for different services
CVE-2026-8924	Low	Trailing dot domain super cookie
CVE-2026-8926	Low	Password leak with netrc and user in URL
CVE-2026-8932	Low	Incomplete mTLS config matching in connection reuse
CVE-2026-9080	Low	Use-after-free after pause in socket callback
CVE-2026-9545	Low	HTTP/3 early data exposure
CVE-2026-9546	Low	Old referer data disclosure
CVE-2026-9547	Low	SSH improper host validation
CVE-2026-10536	Low	HTTP/2 stream-dependency tree use-after-free
CVE-2026-11352	Low	QUIC zero-length UDP datagrams busy-loop
CVE-2026-11564	Low	Native CA trust persistence issue
CVE-2026-11586	Low	WebSocket Auto-PONG memory exhaustion
CVE-2026-12064	Low	SSH verification skipped by proto-default

Beyond security fixes, curl 8.21.0 introduces a limited set of new features, given the heavy focus on vulnerability remediation during this cycle.

Key additions include support for named globs in file uploads and enhanced HTTP/3 proxy capabilities using CONNECT and MASQUE CONNECT-UDP.

The release also removes deprecated features such as HTTP/2 stream dependency tracking and CURLAUTH_DIGEST_IE support, aligning the project with modern protocol practices.

Developers are also warned about upcoming removals, including NTLM, SMB, TLS-SRP, and local crypto implementations.

In total, the release includes 276 bug fixes and over 500 commits contributed by more than 100 developers, reflecting the scale of ongoing maintenance and security efforts.

Security teams and developers are strongly advised to upgrade to curl 8.21.0 immediately, especially in environments relying on authentication mechanisms, proxy configurations, or HTTP/2 and HTTP/3 features.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.