curl 8.21.0 | daniel.haxx.se

Skip to content

Search for:

Release presentation

At 09:00 UTC (11:00 CEST) today I will do a traditional live-streamed release presentation of this release over on my Twitch channel.

Numbers

the 275th release<br>6 changes<br>56 days (total: 10,817)<br>276 bugfixes (total: 14,187)<br>531 commits (total: 39,077)<br>0 new public libcurl function (total: 100)<br>0 new curl_easy_setopt() option (total: 308)<br>1 new curl command line option (total: 274)<br>102 contributors, 69 new (total: 3,731)<br>45 authors, 26 new (total: 1,489)<br>18 security fixes (total: 206)

Security

As mentioned before, the security report volume has been intense lately. We publish eighteen new curl vulnerabilities this time. A new project record for a single release and for the total number of vulnerabilities published within the same calendar year.

As always, we have document each vulnerability in detail and I encourage you to read up on the details.

Severity Medium

CVE-2026-8925: SASL double-free

CVE-2026-8927: env-set cross-proxy Digest auth state leak

CVE-2026-9079: stale proxy password leak

CVE-2026-11856: cross-origin Digest auth state leak

Severity Low

CVE-2026-8286: wrong STARTTLS connection reuse

CVE-2026-8458: wrong reuse for different services

CVE-2026-8924: trailing dot domain super cookie

CVE-2026-8926: password leak with netrc and user in URL

CVE-2026-8932: incomplete mTLS config matching in conn reuse

CVE-2026-9080: UAF after pause in socket callback

CVE-2026-9545: exposing HTTP/3 early data

CVE-2026-9546: sending old referer

CVE-2026-9547: SSH improper host validation

CVE-2026-10536: HTTP/2 stream-dependency tree UAF

CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop

CVE-2026-11564: Native CA trust persist

CVE-2026-11586: WS Auto-PONG memory exhaustion

CVE-2026-12064: proto-default skips SSH verification

Changes

The huge focus on vulnerability reports during this release cycle made us merge fewer new features than we wanted, but here are the ones we still managed to get to:

curl: named globs

curl: named globs in output file name for uploads

HTTP/3 proxy CONNECT and MASQUE CONNECT-UDP support

removed HTTP/2 stream dependency tracking

removed support for CURLAUTH_DIGEST_IE

added support for SHA256 host public keys with libssh

Bugfixes

We again manage to land more than 250 separate bugfixes, and they are all detailed in the changelog.

Pending removals

Planned upcoming removals include:

local crypto implementations

NTLM

SMB

TLS-SRP support

If you are concerned about any of these, speak up on the curl-library list ASAP.

Next release

Unless we messed up this one and need to do a patch release, the pending next release is scheduled to happen on September 2. This release cycle is extended by two weeks due to the summer of bliss.

Leave a Reply Cancel reply<br>Your email address will not be published. Required fields are marked *<br>Comment *<br>Name *

Email *

Website

Time limit is exhausted. Please reload CAPTCHA.<br>one118four

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts<br>Recent Comments

curl, open source and networking

Sponsor me: on GitHub<br>Follow me: @bagder<br>Keep up: RSS-feed<br>Email: weekly reports

June 2026

1234567

891011121314

15161718192021

22232425262728

2930