CVE-2026-8925
SASL double-free
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
The curl logic that works with SASL authentication could end up cleaning up the GSASL context twice without clearing the pointer in between, making it free() the same pointer twice.
INFO
This flaw can trigger with protocols using SASL: IMAP, POP3, SMTP and IMAP if curl was built to use libgsasl.
We deem it hard for an attacker to control or otherwise affect exactly which memory the second free() call frees, but we cannot rule out that in limited situation could be used for nefarious purposes as the sequence and timing can be somewhat affected by server behavior.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8925 to this issue.
CWE-415: Double Free
Severity: Medium
AFFECTED VERSIONS
- Affected versions: curl 8.15.0 to and including 8.20.0
- Not affected versions: curl < 8.15.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/ab650379a8c25ca952f6
libcurl is used by many applications, but not always advertised as such!
This bug is considered a C mistake. It is likely to have been avoided had we not been using C.
This flaw is also accessible using the curl command line tool.
SOLUTION
RECOMMENDATIONS
A - Upgrade curl to version 8.21.0
B - Apply the patch to your local version
C - Do not use IMAP, POP3, SMTP or IMAP
TIMELINE
This issue was reported to the curl project on May 14, 2026. We contacted distros@openwall on June 17, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Joshua Rogers (Aisle Research)
- Patched-by: Viktor Szakats
Thanks a lot!