--- title: "Critical Curl Update Fixes 18 Security Flaws and 25 Year Bug" date: 2026-06-25 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/06/critical-curl-update-fixes-18-security-flaws.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # Critical Curl Update Fixes 18 Security Flaws and 25 Year Bug A major Curl security update has fixed a record 18 vulnerabilities, including an authentication related flaw that remained hidden in the project for 25 years. ## **Quick Summary** – TLDR: - Curl 8.21.0 fixes 18 security vulnerabilities, the highest number ever addressed in a single release. - A 25 year old authentication related bug affecting libcurl has finally been patched. - The update resolves password leaks, memory corruption, authentication issues, and WebSocket related flaws. - Organizations using Curl or libcurl are encouraged to upgrade as soon as possible. ## What Happened? The **Curl** project has released **version 8.21.0**, delivering the largest security update in its history by fixing **18 vulnerabilities** in a single release. Among the fixes is a **25 year old security flaw** that dates back to **March 2001**, making it one of the oldest bugs ever discovered and patched in the widely used open source data transfer tool. The release follows an intense period of security research, with multiple vulnerabilities identified by independent researchers and security firms. Despite the large number of issues addressed, there are currently **no reports of any of these vulnerabilities being actively exploited in real world attacks**. > 18 CVEs in curl > LOW and MEDIUM severity. Fixed in 8.21.0. Message lists per-CVE titles, severities, and advisory links. > > — Open Source Security mailing list (@oss\_security) [June 25, 2026](https://x.com/oss_security/status/2069977397747753255?ref_src=twsrc%5Etfw) ## Record Breaking Security Release The latest release sets multiple milestones for the project. It represents the **275th Curl release** and pushes the total number of publicly disclosed Curl vulnerabilities to **206**. Project maintainer **Daniel Stenberg** acknowledged the unusually high number of security reports received over the past few months. The update includes **276 bug fixes**, **531 commits**, and contributions from **102 developers**, including **69 first time contributors**. The release also becomes the project’s largest security update ever, surpassing all previous versions in the number of vulnerabilities resolved in a single release. ## Twenty Five Year Old Bug Finally Resolved One of the most notable fixes is **CVE-2026-8932**, an issue involving **mutual TLS connection reuse** in **libcurl**. The flaw was originally introduced in **Curl version 7.7**, released on **March 22, 2001**. It allowed **libcurl** to reuse an existing connection even after the client certificate or private key configuration had changed. This behavior could potentially lead to an **authentication bypass** in applications using the library. The vulnerability affects **libcurl based applications** rather than the **Curl command line tool**, making it particularly important for software developers who embed the library into their own applications. ## Password Leaks and Memory Related Issues Fixed Out of the **18 vulnerabilities**, **four were rated Medium severity** while the remaining **14 received Low severity ratings**. Some of the most important fixes include: - **CVE-2026-8925**, a **SASL double free** vulnerability that could lead to memory corruption. - **CVE-2026-8927**, involving a **cross proxy Digest authentication state leak**. - **CVE-2026-9079**, which fixes a **stale proxy password leak**. - **CVE-2026-11856**, addressing a **cross origin Digest authentication state leak**. - **CVE-2026-8926**, preventing a **password leak** when combining **.netrc** credentials with usernames specified in URLs. - **CVE-2026-11586**, fixing a **WebSocket Auto PONG memory exhaustion** issue that could result in denial of service conditions. - **CVE-2026-9080** and **CVE-2026-10536**, both resolving **use after free** memory bugs. - Additional fixes cover **SSH host validation**, **HTTP 3 early data exposure**, **QUIC busy loop behavior**, **supercookie handling**, and **connection reuse problems**. ## Community Research Played a Key Role The wave of discoveries began after **[Anthropic’s Mythos](https://sqmagazine.co.uk/claude-mythos-public-release-safety-tests/)** identified a Curl vulnerability earlier this year. That finding sparked a wider community effort to examine older sections of the project’s code. Security company **Aisle** also contributed significantly, identifying multiple vulnerabilities through its artificial intelligence powered analysis platform. According to the company, Curl has already had many obvious bugs removed over the years, leaving behind complex issues involving protocol handling, connection reuse, callback behavior, and authentication logic that are much harder to detect. ## New Features Arrive Alongside Security Fixes Although security was the primary focus, **Curl 8.21.0** also introduces several new capabilities. The release adds **named glob support** for URL patterns and output files, expands support for **HTTP 3 proxy CONNECT** and **MASQUE CONNECT UDP**, and introduces **SHA-256 host public key support** through **libssh**. The project also removes **HTTP 2 stream dependency tracking** and ends support for **CURLAUTH DIGEST IE**. Developers were also informed that support for **NTLM**, **SMB**, **TLS SRP**, and local cryptographic implementations may be removed in future releases. With **more than 30 billion devices** relying on Curl for data transfers across servers, mobile devices, vehicles, and countless software applications, keeping installations updated remains essential for maintaining security. ## SQ Magazine Takeaway I think this release highlights why even the most trusted open source software should never be taken for granted. A security flaw can remain hidden for decades, even in software used by billions of devices worldwide. The Curl community deserves credit for turning one vulnerability into a much broader security review, giving users a significantly stronger and safer release.