curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

Re: [SECURITY ADVISORIES] for curl 8.21.0

From: toby via curl-users <curl-users_at_lists.haxx.se>
Date: Sat, 27 Jun 2026 11:24:42 -0600

Hi

are any of these exploitable?

i do find it amazing and sorta scarry that the ai (i assume it was ai bots that scrutinized your release in 4 minutes) can locate such esoteric (to me anyway) 'bugs'




On Wed, 24 Jun 2026 08:08:57 +0200 (CEST)
Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se> wrote:

> Hello friends,
>
> In association with the curl release 8.21.0 that we announced just minutes
> ago, we publish no less than eighteen new curl vulnerabilities.
>
> Because of the large amount of issues, sending individual emails for each one
> would be a bit much so instead I list them all below and I link to each
> issue's individual explainer page.
>
> CVE, title and severity. Listed here in numerical order. The order in which
> they were reported to us.
>
> CVE-2026-8286: wrong STARTTLS connection reuse (LOW)
> https://curl.se/docs/CVE-2026-8286.html
>
> CVE-2026-8458: wrong reuse for different services (LOW)
> https://curl.se/docs/CVE-2026-8458.html
>
> CVE-2026-8924: traling dot domain super cookie (LOW)
> https://curl.se/docs/CVE-2026-8924.html
>
> CVE-2026-8925: SASL double-free (MEDIUM)
> https://curl.se/docs/CVE-2026-8925.html
>
> CVE-2026-8926: password leak with netrc and user in URL (LOW)
> https://curl.se/docs/CVE-2026-8926.html
>
> CVE-2026-8927: env-set cross-proxy Digest auth state leak (MEDIUM)
> https://curl.se/docs/CVE-2026-8927.html
>
> CVE-2026-8932: incomplete mTLS config matching in conn reuse (LOW)
> https://curl.se/docs/CVE-2026-8932.html
>
> CVE-2026-9079: stale proxy password leak (MEDIUM)
> https://curl.se/docs/CVE-2026-9079.html
>
> CVE-2026-9080: UAF after pause in socket callback (LOW)
> https://curl.se/docs/CVE-2026-9080.html
>
> CVE-2026-9545: exposing HTTP/3 early data (LOW)
> https://curl.se/docs/CVE-2026-9545.html
>
> CVE-2026-9546: sending old referer (LOW)
> https://curl.se/docs/CVE-2026-9546.html
>
> CVE-2026-9547: SSH improper host validation (LOW)
> https://curl.se/docs/CVE-2026-9547.html
>
> CVE-2026-10536: HTTP/2 stream-dependency tree UAF (LOW)
> https://curl.se/docs/CVE-2026-10536.html
>
> CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (LOW)
> https://curl.se/docs/CVE-2026-11352.html
>
> CVE-2026-11564: Native CA trust persist (LOW)
> https://curl.se/docs/CVE-2026-11564.html
>
> CVE-2026-11586: WS Auto-PONG memory exhaustion (LOW)
> https://curl.se/docs/CVE-2026-11586.html
>
> CVE-2026-11856: cross-origin Digest auth state leak (MEDIUM)
> https://curl.se/docs/CVE-2026-11856.html
>
> CVE-2026-12064: proto-default skips SSH verification (LOW)
> https://curl.se/docs/CVE-2026-12064.html
>
> --
>
> / daniel.haxx.se || https://rock-solid.curl.dev
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
> Etiquette: https://curl.se/mail/etiquette.html
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2026-06-27