RSS

18 CVEs fixed in Curl 8.21.0

mmsc1 pts0 comments

curl: [SECURITY ADVISORIES] for curl 8.21.0

Download

Browse source<br>Changelog<br>Release candidates<br>Release log<br>tiny-curl

Documentation

Project

FAQ<br>Help us<br>Known bugs<br>Known risks<br>TODO

Protocols

CA bundle<br>HTTP Cookies<br>SSL Certs

Releases

Security<br>Verify<br>Version numbers<br>Vulnerabilities

curl tool

man page<br>Tutorial<br>HTTP scripting

trurl<br>wcurl<br>Videos<br>Who and Why

libcurl

API<br>Examples<br>Features<br>Mailing list<br>Symbols<br>Using libcurl<br>Tutorial

Get Help

curl-library<br>curl-users<br>IRC / chat<br>Mailing lists<br>Everything curl [book]<br>Video presentations<br>Report a bug<br>Report security issue<br>Paid support

Development

Autobuilds<br>Code review<br>Code style<br>Contribute<br>Dashboard<br>Deprecate<br>Internals<br>Release Notes<br>Release Procedure<br>Roadmap<br>Run Tests<br>Specifications<br>Test curl<br>Tests Overview<br>Vulnerability Disclosure Policy

curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support. We<br>help you work out your issues, debug your libcurl applications, use the API,<br>port to new platforms, add new features and more. With a team lead by the<br>curl founder Daniel himself.

[SECURITY ADVISORIES] for curl 8.21.0

This message:<br>[ Message body ]<br>[ More options (top, bottom) ]

Related messages:

[ Previous message ]

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Daniel Stenberg via curl-library curl-library_at_lists.haxx.se>

Date: Wed, 24 Jun 2026 08:08:57 +0200 (CEST)

Hello friends,

In association with the curl release 8.21.0 that we announced just minutes

ago, we publish no less than eighteen new curl vulnerabilities.

Because of the large amount of issues, sending individual emails for each one

would be a bit much so instead I list them all below and I link to each

issue's individual explainer page.

CVE, title and severity. Listed here in numerical order. The order in which

they were reported to us.

CVE-2026-8286: wrong STARTTLS connection reuse (LOW)

https://curl.se/docs/CVE-2026-8286.html

CVE-2026-8458: wrong reuse for different services (LOW)

https://curl.se/docs/CVE-2026-8458.html

CVE-2026-8924: traling dot domain super cookie (LOW)

https://curl.se/docs/CVE-2026-8924.html

CVE-2026-8925: SASL double-free (MEDIUM)

https://curl.se/docs/CVE-2026-8925.html

CVE-2026-8926: password leak with netrc and user in URL (LOW)

https://curl.se/docs/CVE-2026-8926.html

CVE-2026-8927: env-set cross-proxy Digest auth state leak (MEDIUM)

https://curl.se/docs/CVE-2026-8927.html

CVE-2026-8932: incomplete mTLS config matching in conn reuse (LOW)

https://curl.se/docs/CVE-2026-8932.html

CVE-2026-9079: stale proxy password leak (MEDIUM)

https://curl.se/docs/CVE-2026-9079.html

CVE-2026-9080: UAF after pause in socket callback (LOW)

https://curl.se/docs/CVE-2026-9080.html

CVE-2026-9545: exposing HTTP/3 early data (LOW)

https://curl.se/docs/CVE-2026-9545.html

CVE-2026-9546: sending old referer (LOW)

https://curl.se/docs/CVE-2026-9546.html

CVE-2026-9547: SSH improper host validation (LOW)

https://curl.se/docs/CVE-2026-9547.html

CVE-2026-10536: HTTP/2 stream-dependency tree UAF (LOW)

https://curl.se/docs/CVE-2026-10536.html

CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (LOW)

https://curl.se/docs/CVE-2026-11352.html

CVE-2026-11564: Native CA trust persist (LOW)

https://curl.se/docs/CVE-2026-11564.html

CVE-2026-11586: WS Auto-PONG memory exhaustion (LOW)

https://curl.se/docs/CVE-2026-11586.html

CVE-2026-11856: cross-origin Digest auth state leak (MEDIUM)

https://curl.se/docs/CVE-2026-11856.html

CVE-2026-12064: proto-default skips SSH verification (LOW)

https://curl.se/docs/CVE-2026-12064.html

/ daniel.haxx.se || https://rock-solid.curl.dev<br>Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library<br>Etiquette: https://curl.se/mail/etiquette.html

Received on 2026-06-24

This message: [ Message body ]

Previous message: Daniel Stenberg via curl-library: "[RELEASE] curl 8.21.0"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

curl https html docs release message

Related Articles

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.