Hello friends,

In association with the curl release 8.21.0 that we announced just minutes ago, we publish no less than eighteen new curl vulnerabilities.

Because of the large amount of issues, sending individual emails for each one would be a bit much so instead I list them all below and I link to each issue's individual explainer page.

CVE, title and severity. Listed here in numerical order. The order in which they were reported to us.

CVE-2026-8286: wrong STARTTLS connection reuse (LOW)
  https://curl.se/docs/CVE-2026-8286.html

CVE-2026-8458: wrong reuse for different services (LOW)
  https://curl.se/docs/CVE-2026-8458.html

CVE-2026-8924: traling dot domain super cookie (LOW)
  https://curl.se/docs/CVE-2026-8924.html

CVE-2026-8925: SASL double-free (MEDIUM)
  https://curl.se/docs/CVE-2026-8925.html

CVE-2026-8926: password leak with netrc and user in URL (LOW)
  https://curl.se/docs/CVE-2026-8926.html

CVE-2026-8927: env-set cross-proxy Digest auth state leak (MEDIUM)
  https://curl.se/docs/CVE-2026-8927.html

CVE-2026-8932: incomplete mTLS config matching in conn reuse (LOW)
  https://curl.se/docs/CVE-2026-8932.html

CVE-2026-9079: stale proxy password leak (MEDIUM)
  https://curl.se/docs/CVE-2026-9079.html

CVE-2026-9080: UAF after pause in socket callback (LOW)
  https://curl.se/docs/CVE-2026-9080.html

CVE-2026-9545: exposing HTTP/3 early data (LOW)
  https://curl.se/docs/CVE-2026-9545.html

CVE-2026-9546: sending old referer (LOW)
  https://curl.se/docs/CVE-2026-9546.html

CVE-2026-9547: SSH improper host validation (LOW)
  https://curl.se/docs/CVE-2026-9547.html

CVE-2026-10536: HTTP/2 stream-dependency tree UAF (LOW)
  https://curl.se/docs/CVE-2026-10536.html

CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (LOW)
  https://curl.se/docs/CVE-2026-11352.html

CVE-2026-11564: Native CA trust persist (LOW)
  https://curl.se/docs/CVE-2026-11564.html

CVE-2026-11586: WS Auto-PONG memory exhaustion (LOW)
  https://curl.se/docs/CVE-2026-11586.html

CVE-2026-11856: cross-origin Digest auth state leak (MEDIUM)
  https://curl.se/docs/CVE-2026-11856.html

CVE-2026-12064: proto-default skips SSH verification (LOW)
  https://curl.se/docs/CVE-2026-12064.html

--

 / daniel.haxx.se || https://rock-solid.curl.dev

Reply via email to