Hi

are any of these exploitable?

i do find it amazing and sorta scarry that the ai (i assume it was ai bots that 
scrutinized your release in 4 minutes) can locate such esoteric (to me anyway) 
'bugs' 




On Wed, 24 Jun 2026 08:08:57 +0200 (CEST)
Daniel Stenberg via curl-users <[email protected]> wrote:

> Hello friends,
> 
> In association with the curl release 8.21.0 that we announced just minutes 
> ago, we publish no less than eighteen new curl vulnerabilities.
> 
> Because of the large amount of issues, sending individual emails for each one 
> would be a bit much so instead I list them all below and I link to each 
> issue's individual explainer page.
> 
> CVE, title and severity. Listed here in numerical order. The order in which 
> they were reported to us.
> 
> CVE-2026-8286: wrong STARTTLS connection reuse (LOW)
>    https://curl.se/docs/CVE-2026-8286.html
> 
> CVE-2026-8458: wrong reuse for different services (LOW)
>    https://curl.se/docs/CVE-2026-8458.html
> 
> CVE-2026-8924: traling dot domain super cookie (LOW)
>    https://curl.se/docs/CVE-2026-8924.html
> 
> CVE-2026-8925: SASL double-free (MEDIUM)
>    https://curl.se/docs/CVE-2026-8925.html
> 
> CVE-2026-8926: password leak with netrc and user in URL (LOW)
>    https://curl.se/docs/CVE-2026-8926.html
> 
> CVE-2026-8927: env-set cross-proxy Digest auth state leak (MEDIUM)
>    https://curl.se/docs/CVE-2026-8927.html
> 
> CVE-2026-8932: incomplete mTLS config matching in conn reuse (LOW)
>    https://curl.se/docs/CVE-2026-8932.html
> 
> CVE-2026-9079: stale proxy password leak (MEDIUM)
>    https://curl.se/docs/CVE-2026-9079.html
> 
> CVE-2026-9080: UAF after pause in socket callback (LOW)
>    https://curl.se/docs/CVE-2026-9080.html
> 
> CVE-2026-9545: exposing HTTP/3 early data (LOW)
>    https://curl.se/docs/CVE-2026-9545.html
> 
> CVE-2026-9546: sending old referer (LOW)
>    https://curl.se/docs/CVE-2026-9546.html
> 
> CVE-2026-9547: SSH improper host validation (LOW)
>    https://curl.se/docs/CVE-2026-9547.html
> 
> CVE-2026-10536: HTTP/2 stream-dependency tree UAF (LOW)
>    https://curl.se/docs/CVE-2026-10536.html
> 
> CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (LOW)
>    https://curl.se/docs/CVE-2026-11352.html
> 
> CVE-2026-11564: Native CA trust persist (LOW)
>    https://curl.se/docs/CVE-2026-11564.html
> 
> CVE-2026-11586: WS Auto-PONG memory exhaustion (LOW)
>    https://curl.se/docs/CVE-2026-11586.html
> 
> CVE-2026-11856: cross-origin Digest auth state leak (MEDIUM)
>    https://curl.se/docs/CVE-2026-11856.html
> 
> CVE-2026-12064: proto-default skips SSH verification (LOW)
>    https://curl.se/docs/CVE-2026-12064.html
> 
> -- 
> 
>   / daniel.haxx.se || https://rock-solid.curl.dev
> -- 
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
> Etiquette:   https://curl.se/mail/etiquette.html
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to