SASL double-free
================

Project curl Security Advisory, June 24 2026
[Permalink](https://curl.se/docs/CVE-2026-8925.html)

VULNERABILITY
-------------

The curl logic that works with SASL authentication could end up cleaning up
the GSASL context *twice* without clearing the pointer in between, making it
`free()` the same pointer twice.

INFO
----

This flaw can trigger with protocols using SASL: IMAP, POP3, SMTP and IMAP if
curl was built to use libgsasl.

We deem it *hard* for an attacker to control or otherwise affect exactly which
memory the second `free()` call will free, but we cannot rule out that in
limited situation could be used for nefarious purposes as the sequence and
timing can be somewhat affected by server behavior.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-8925 to this issue.

CWE-415: Double Free

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.15.0 to and including 8.20.0
- Not affected versions: curl < 8.15.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/ab650379a8c25ca952f6

libcurl is used by many applications, but not always advertised as such!

This bug is considered a *C mistake*. It is likely to have been avoided had we
not been using C.

This flaw is also accessible using the curl command line tool.

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/3da249e1f0716c06644ed3522

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 8.21.0

 B - Apply the patch to your local version

 C - Do not use IMAP, POP3, SMTP or IMAP

TIMELINE
--------

This issue was reported to the curl project on May 14, 2026. We contacted
distros@openwall on June XX, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: Joshua Rogers (Aisle Research)
- Patched-by: Viktor Szakats

Thanks a lot!