25-Year-Old Vulnerability in cURL Used by 30 Billion Devices Finally Patched

HomeCyber Security 25-Year-Old Vulnerability in cURL Used by 30 Billion Devices Finally Patched By Guru Baran June 25, 2026 A critical security flaw lurking in curl for over 25 years has been patched, as part of a record-breaking security release that fixed 18 CVEs, the most ever issued in a single curl version. The vulnerability, CVE-2026-8932, was first shipped in curl version 7.7 on March 22, 2001, making it the oldest curl security issue ever reported. The release, announced by maintainer Daniel Stenberg on June 24, 2026, marks the most vulnerabilities fixed in a single curl release. curl is not just a command-line tool; it is foundational infrastructure. Running on more than 30 billion devices, it powers data transfers across operating systems, containers, CI/CD pipelines, package managers, SDKs, and automotive systems. The vast majority of users never interact with curl directly but instead rely on libcurl, the embedded engine in countless products, making vulnerabilities in this library especially dangerous and difficult to trace. The wave of discoveries began on May 11, 2026, when curl founder and lead developer Daniel Stenberg announced that Anthropic’s Mythos AI model had identified a single CVE in curl. That disclosure triggered an unprecedented flood of security reports targeting the curl project. When the dust settled, 18 CVEs had been issued for the curl 8.21.0 release, a record high for any single curl version. AISLE, an AI-powered, model-agnostic security platform, claimed 6 of the 18 CVEs, plus additional valid findings across curl and libcurl. The next-closest AI-powered organization received 3 CVEs, while researchers using Anthropic and OpenAI models found 1 each. All six vulnerabilities were responsibly disclosed and patched in the June 24, 2026, release of curl 8.21.0: CVE Area Impact CVE-2026-8926 .netrc credential handling Credential confusion wrong user’s password selected for the same host CVE-2026-8925 SASL authentication Double-free of GSASL context in SASL protocol flows CVE-2026-8932 mTLS connection reuse Authentication bypass — connection reused after client cert changes (25+ year-old flaw) CVE-2026-9080 Multi socket callback Use-after-free when curl_easy_pause() called inside socket callback CVE-2026-9547 SSH host validation Improper host validation — rejected server key types accepted via libssh backend CVE-2026-10536 HTTP/2 stream dependencies Use-after-free when resetting and cleaning up HTTP/2 dependency handles Beyond CVEs, AISLE also disclosed three additional memory safety issues, including a heap out-of-bounds read in urlapi and use-after-free/double-free bugs in HSTS handling, all reported via HackerOne. Notably, several of these vulnerabilities exclusively affect libcurl, not the curl command-line tool itself. This means they exist deep inside embedded products where end users have no visibility and no direct ability to patch them. Attack surfaces are reachable through application behavior, making these findings especially significant for enterprise and IoT environments. CVE Severity Description CVE-2026-8925 Medium SASL double-free leading to memory corruption or crashes CVE-2026-8927 Medium Cross-proxy Digest auth state leak CVE-2026-9079 Medium Stale proxy password leak CVE-2026-11856 Medium Cross-origin Digest auth state leak CVE-2026-8286 Low Wrong STARTTLS connection reuse CVE-2026-8458 Low Wrong connection reuse for different services CVE-2026-8924 Low Trailing dot domain super cookie CVE-2026-8926 Low Password leak with netrc and user in URL CVE-2026-8932 Low Incomplete mTLS config matching in connection reuse CVE-2026-9080 Low Use-after-free after pause in socket callback CVE-2026-9545 Low HTTP/3 early data exposure CVE-2026-9546 Low Old referer data disclosure CVE-2026-9547 Low SSH improper host validation CVE-2026-10536 Low HTTP/2 stream-dependency tree use-after-free CVE-2026-11352 Low QUIC zero-length UDP datagrams busy-loop CVE-2026-11564 Low Native CA trust persistence issue CVE-2026-11586 Low WebSocket Auto-PONG memory exhaustion CVE-2026-12064 Low SSH verification skipped by proto-default Beyond security fixes, curl 8.21.0 introduces a limited set of new features, given the heavy focus on vulnerability remediation during this cycle. Key additions include support for named globs in file uploads and enhanced HTTP/3 proxy capabilities using CONNECT and MASQUE CONNECT-UDP. The release also removes deprecated features such as HTTP/2 stream dependency tracking and CURLAUTH_DIGEST_IE support, aligning the project with modern protocol practices. Developers are also warned about upcoming removals, including NTLM, SMB, TLS-SRP, and local crypto implementations. In total, the release includes 276 bug fixes and over 500 commits contributed by more than 100 developers, reflecting the scale of ongoing maintenance and security efforts. Security teams and developers are strongly advised to upgrade to curl 8.21.0 immediately, especially in environments relying on authentication mechanisms, proxy configurations, or HTTP/2 and HTTP/3 features. Windows Secure Boot Certificates to Expire – What IT Teams Should Do Before the Deadline. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Microsoft Entra Conditional Access Policies Can Be Bypassed Via Nested App Authentication Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign Researcher Earns $148,337 for Google Cloud Production RCE Vulnerability DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacted EvilTokens Hides Its Attack Flow in the Browser, Exposing Static Analysis Gaps   Latest News Cyber Security News Shai-Hulud Payload Steals GitHub, npm, Cloud, CI/CD, and SSH Credentials From Developers Cyber Security News AWS AiTM Phishing Kit Steals Console Credentials and MFA Codes in Real Time Cyber Security News Rust macOS Backdoor Uses Interactive Shell and Telegram File Uploads for Data Theft Cyber Security News ManageEngine AD360 Integration Flaw Exposes User Identity and Role Information to Attackers AI Gemini 3.5 Flash Released With Computer Use Capabilities that Build Agents