Download
Browse source Changelog Release candidates Release log tiny-curl
Documentation
Project FAQ   Help us   Known bugs   Known risks   TODO Protocols   CA bundle   HTTP Cookies   SSL Certs Releases   Security   Verify   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting trurl wcurl Videos Who and Why
libcurl
API Examples Features Mailing list Symbols Using libcurl Tutorial
Get Help
curl-library curl-users IRC / chat Mailing lists Everything curl [book] Video presentations Report a bug Report security issue Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Specifications Test curl Tests Overview Vulnerability Disclosure Policy
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

[SECURITY ADVISORIES] for curl 8.21.0

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 24 Jun 2026 08:08:57 +0200 (CEST)

Hello friends,

In association with the curl release 8.21.0 that we announced just minutes
ago, we publish no less than eighteen new curl vulnerabilities.

Because of the large amount of issues, sending individual emails for each one
would be a bit much so instead I list them all below and I link to each
issue's individual explainer page.

CVE, title and severity. Listed here in numerical order. The order in which
they were reported to us.

CVE-2026-8286: wrong STARTTLS connection reuse (LOW)
   https://curl.se/docs/CVE-2026-8286.html

CVE-2026-8458: wrong reuse for different services (LOW)
   https://curl.se/docs/CVE-2026-8458.html

CVE-2026-8924: traling dot domain super cookie (LOW)
   https://curl.se/docs/CVE-2026-8924.html

CVE-2026-8925: SASL double-free (MEDIUM)
   https://curl.se/docs/CVE-2026-8925.html

CVE-2026-8926: password leak with netrc and user in URL (LOW)
   https://curl.se/docs/CVE-2026-8926.html

CVE-2026-8927: env-set cross-proxy Digest auth state leak (MEDIUM)
   https://curl.se/docs/CVE-2026-8927.html

CVE-2026-8932: incomplete mTLS config matching in conn reuse (LOW)
   https://curl.se/docs/CVE-2026-8932.html

CVE-2026-9079: stale proxy password leak (MEDIUM)
   https://curl.se/docs/CVE-2026-9079.html

CVE-2026-9080: UAF after pause in socket callback (LOW)
   https://curl.se/docs/CVE-2026-9080.html

CVE-2026-9545: exposing HTTP/3 early data (LOW)
   https://curl.se/docs/CVE-2026-9545.html

CVE-2026-9546: sending old referer (LOW)
   https://curl.se/docs/CVE-2026-9546.html

CVE-2026-9547: SSH improper host validation (LOW)
   https://curl.se/docs/CVE-2026-9547.html

CVE-2026-10536: HTTP/2 stream-dependency tree UAF (LOW)
   https://curl.se/docs/CVE-2026-10536.html

CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (LOW)
   https://curl.se/docs/CVE-2026-11352.html

CVE-2026-11564: Native CA trust persist (LOW)
   https://curl.se/docs/CVE-2026-11564.html

CVE-2026-11586: WS Auto-PONG memory exhaustion (LOW)
   https://curl.se/docs/CVE-2026-11586.html

CVE-2026-11856: cross-origin Digest auth state leak (MEDIUM)
   https://curl.se/docs/CVE-2026-11856.html

CVE-2026-12064: proto-default skips SSH verification (LOW)
   https://curl.se/docs/CVE-2026-12064.html 

-- 
  / daniel.haxx.se || https://rock-solid.curl.dev
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2026-06-24