Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: [SECURITY ADVISORIES] for curl 8.21.0
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: toby via curl-users <curl-users_at_lists.haxx.se>
Date: Sat, 27 Jun 2026 11:24:42 -0600
Hi
are any of these exploitable?
i do find it amazing and sorta scarry that the ai (i assume it was ai bots that scrutinized your release in 4 minutes) can locate such esoteric (to me anyway) 'bugs'
On Wed, 24 Jun 2026 08:08:57 +0200 (CEST)
Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se> wrote:
> Hello friends,
>
> In association with the curl release 8.21.0 that we announced just minutes
> ago, we publish no less than eighteen new curl vulnerabilities.
>
> Because of the large amount of issues, sending individual emails for each one
> would be a bit much so instead I list them all below and I link to each
> issue's individual explainer page.
>
> CVE, title and severity. Listed here in numerical order. The order in which
> they were reported to us.
>
> CVE-2026-8286: wrong STARTTLS connection reuse (LOW)
> https://curl.se/docs/CVE-2026-8286.html
>
> CVE-2026-8458: wrong reuse for different services (LOW)
> https://curl.se/docs/CVE-2026-8458.html
>
> CVE-2026-8924: traling dot domain super cookie (LOW)
> https://curl.se/docs/CVE-2026-8924.html
>
> CVE-2026-8925: SASL double-free (MEDIUM)
> https://curl.se/docs/CVE-2026-8925.html
>
> CVE-2026-8926: password leak with netrc and user in URL (LOW)
> https://curl.se/docs/CVE-2026-8926.html
>
> CVE-2026-8927: env-set cross-proxy Digest auth state leak (MEDIUM)
> https://curl.se/docs/CVE-2026-8927.html
>
> CVE-2026-8932: incomplete mTLS config matching in conn reuse (LOW)
> https://curl.se/docs/CVE-2026-8932.html
>
> CVE-2026-9079: stale proxy password leak (MEDIUM)
> https://curl.se/docs/CVE-2026-9079.html
>
> CVE-2026-9080: UAF after pause in socket callback (LOW)
> https://curl.se/docs/CVE-2026-9080.html
>
> CVE-2026-9545: exposing HTTP/3 early data (LOW)
> https://curl.se/docs/CVE-2026-9545.html
>
> CVE-2026-9546: sending old referer (LOW)
> https://curl.se/docs/CVE-2026-9546.html
>
> CVE-2026-9547: SSH improper host validation (LOW)
> https://curl.se/docs/CVE-2026-9547.html
>
> CVE-2026-10536: HTTP/2 stream-dependency tree UAF (LOW)
> https://curl.se/docs/CVE-2026-10536.html
>
> CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (LOW)
> https://curl.se/docs/CVE-2026-11352.html
>
> CVE-2026-11564: Native CA trust persist (LOW)
> https://curl.se/docs/CVE-2026-11564.html
>
> CVE-2026-11586: WS Auto-PONG memory exhaustion (LOW)
> https://curl.se/docs/CVE-2026-11586.html
>
> CVE-2026-11856: cross-origin Digest auth state leak (MEDIUM)
> https://curl.se/docs/CVE-2026-11856.html
>
> CVE-2026-12064: proto-default skips SSH verification (LOW)
> https://curl.se/docs/CVE-2026-12064.html
>
> --
>
> / daniel.haxx.se || https://rock-solid.curl.dev
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
> Etiquette: https://curl.se/mail/etiquette.html
Date: Sat, 27 Jun 2026 11:24:42 -0600
Hi
are any of these exploitable?
i do find it amazing and sorta scarry that the ai (i assume it was ai bots that scrutinized your release in 4 minutes) can locate such esoteric (to me anyway) 'bugs'
On Wed, 24 Jun 2026 08:08:57 +0200 (CEST)
Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se> wrote:
> Hello friends,
>
> In association with the curl release 8.21.0 that we announced just minutes
> ago, we publish no less than eighteen new curl vulnerabilities.
>
> Because of the large amount of issues, sending individual emails for each one
> would be a bit much so instead I list them all below and I link to each
> issue's individual explainer page.
>
> CVE, title and severity. Listed here in numerical order. The order in which
> they were reported to us.
>
> CVE-2026-8286: wrong STARTTLS connection reuse (LOW)
> https://curl.se/docs/CVE-2026-8286.html
>
> CVE-2026-8458: wrong reuse for different services (LOW)
> https://curl.se/docs/CVE-2026-8458.html
>
> CVE-2026-8924: traling dot domain super cookie (LOW)
> https://curl.se/docs/CVE-2026-8924.html
>
> CVE-2026-8925: SASL double-free (MEDIUM)
> https://curl.se/docs/CVE-2026-8925.html
>
> CVE-2026-8926: password leak with netrc and user in URL (LOW)
> https://curl.se/docs/CVE-2026-8926.html
>
> CVE-2026-8927: env-set cross-proxy Digest auth state leak (MEDIUM)
> https://curl.se/docs/CVE-2026-8927.html
>
> CVE-2026-8932: incomplete mTLS config matching in conn reuse (LOW)
> https://curl.se/docs/CVE-2026-8932.html
>
> CVE-2026-9079: stale proxy password leak (MEDIUM)
> https://curl.se/docs/CVE-2026-9079.html
>
> CVE-2026-9080: UAF after pause in socket callback (LOW)
> https://curl.se/docs/CVE-2026-9080.html
>
> CVE-2026-9545: exposing HTTP/3 early data (LOW)
> https://curl.se/docs/CVE-2026-9545.html
>
> CVE-2026-9546: sending old referer (LOW)
> https://curl.se/docs/CVE-2026-9546.html
>
> CVE-2026-9547: SSH improper host validation (LOW)
> https://curl.se/docs/CVE-2026-9547.html
>
> CVE-2026-10536: HTTP/2 stream-dependency tree UAF (LOW)
> https://curl.se/docs/CVE-2026-10536.html
>
> CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (LOW)
> https://curl.se/docs/CVE-2026-11352.html
>
> CVE-2026-11564: Native CA trust persist (LOW)
> https://curl.se/docs/CVE-2026-11564.html
>
> CVE-2026-11586: WS Auto-PONG memory exhaustion (LOW)
> https://curl.se/docs/CVE-2026-11586.html
>
> CVE-2026-11856: cross-origin Digest auth state leak (MEDIUM)
> https://curl.se/docs/CVE-2026-11856.html
>
> CVE-2026-12064: proto-default skips SSH verification (LOW)
> https://curl.se/docs/CVE-2026-12064.html
>
> --
>
> / daniel.haxx.se || https://rock-solid.curl.dev
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
> Etiquette: https://curl.se/mail/etiquette.html
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-06-27