25-Year-Old Critical Flaw in curl Patched in Record-Breaking Security Release
A historic security update for curl, the ubiquitous data transfer tool and library, patched 18 CVEs the most ever addressed in a single release including a 25-year-old critical vulnerability (CVE-2026-8932) that had persisted since March 2001. The flaws were disclosed in curl 8.21.0, released on June 24, 2026, following an unprecedented surge in vulnerability reports triggered by an initial AI-driven discovery.
The Flaws & Their Impact
The vulnerabilities span authentication bypasses, memory corruption, credential leaks, and improper host validation, with many affecting libcurl the embedded engine powering billions of devices, from IoT systems to CI/CD pipelines. Key issues include:
- CVE-2026-8932 (mTLS connection reuse): A 25-year-old flaw allowing authentication bypass when client certificates change.
- CVE-2026-8925 (SASL double-free): Memory corruption in SASL protocol flows.
- CVE-2026-9547 (SSH host validation): Improper validation of rejected server keys via libssh.
- CVE-2026-9080 (HTTP/2 use-after-free): Crashes when resetting HTTP/2 dependency handles.
Most CVEs were rated Medium or Low severity, but their reach is vast libcurl’s embedded nature means many flaws are invisible to end users, leaving enterprise and IoT environments particularly exposed.
AI’s Role in Discovery
The wave of disclosures began on May 11, 2026, when Anthropic’s Mythos AI identified an initial CVE. This prompted a flood of reports, with AISLE, an AI-powered security platform, uncovering 6 of the 18 CVEs more than any other contributor. Other AI models (Anthropic, OpenAI) and researchers contributed additional findings.
Broader Fixes & Future Changes
Beyond security patches, curl 8.21.0 introduces:
- Named globs for file uploads and HTTP/3 proxy enhancements.
- Deprecation of outdated features, including HTTP/2 stream dependency tracking and NTLM/SMB/TLS-SRP (slated for removal).
The release includes 276 bug fixes and 500+ commits from over 100 developers, reflecting the project’s ongoing maintenance challenges.
Why It Matters
With curl running on over 30 billion devices, these flaws especially those in libcurl pose systemic risks. Many embedded systems lack direct patching mechanisms, amplifying the urgency for organizations to update. The incident underscores the growing role of AI in vulnerability discovery and the long-tail risks of foundational software.
Source: https://cybersecuritynews.com/25-year-old-curl-vulnerability/
curl TPRM report: https://www.rankiteo.com/company/curl
"id": "cur1782397529",
"linkid": "curl",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Billions of devices and systems',
'industry': ['Technology',
'Internet of Things (IoT)',
'CI/CD Pipelines'],
'location': 'Global',
'name': 'curl/libcurl',
'size': 'Billions of devices',
'type': 'Software Library'}],
'attack_vector': ['Embedded Library Exploitation',
'Network-Based Exploitation'],
'customer_advisories': 'Users of devices or systems relying on libcurl should '
'ensure their vendors have applied the latest security '
'patches.',
'date_detected': '2026-05-11',
'date_publicly_disclosed': '2026-06-24',
'date_resolved': '2026-06-24',
'description': 'A historic security update for curl, the ubiquitous data '
'transfer tool and library, patched 18 CVEs—the most ever '
'addressed in a single release—including a 25-year-old '
'critical vulnerability (CVE-2026-8932) that had persisted '
'since March 2001. The flaws were disclosed in curl 8.21.0, '
'released on June 24, 2026, following an unprecedented surge '
'in vulnerability reports triggered by an initial AI-driven '
'discovery. The vulnerabilities span authentication bypasses, '
'memory corruption, credential leaks, and improper host '
'validation, affecting libcurl, the embedded engine powering '
'billions of devices.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'widespread exposure of critical '
'vulnerabilities',
'operational_impact': 'Potential authentication bypasses, memory '
'corruption, and credential leaks in '
'embedded systems',
'systems_affected': 'Over 30 billion devices'},
'investigation_status': 'Completed',
'lessons_learned': 'The incident underscores the growing role of AI in '
'vulnerability discovery and the long-tail risks of '
'foundational software. Many embedded systems lack direct '
'patching mechanisms, amplifying the urgency for '
'organizations to update.',
'post_incident_analysis': {'corrective_actions': ['Release of curl 8.21.0 '
'with 18 CVEs patched',
'Deprecation of outdated '
'features',
'Increased AI-driven '
'vulnerability discovery '
'efforts'],
'root_causes': ['25-year-old unpatched '
'vulnerability (CVE-2026-8932)',
'Lack of direct patching '
'mechanisms in embedded systems',
'Widespread use of libcurl in '
'critical infrastructure']},
'recommendations': 'Organizations should prioritize updating to curl 8.21.0 '
'or later to mitigate critical vulnerabilities, especially '
'in embedded systems. Deprecation of outdated features '
'should be monitored to avoid future risks.',
'references': [{'date_accessed': '2026-06-24',
'source': 'curl Security Release Notes'},
{'date_accessed': '2026-05-11',
'source': 'Anthropic’s Mythos AI Discovery'},
{'date_accessed': '2026-06-24',
'source': 'AISLE AI-Powered Security Platform'}],
'response': {'communication_strategy': 'Public disclosure of vulnerabilities '
'and patches',
'containment_measures': 'Security patches released in curl '
'8.21.0',
'remediation_measures': 'Deprecation of outdated features (e.g., '
'HTTP/2 stream dependency tracking, '
'NTLM/SMB/TLS-SRP)'},
'stakeholder_advisories': 'Organizations using libcurl should immediately '
'update to curl 8.21.0 to mitigate critical '
'vulnerabilities.',
'title': '25-Year-Old Critical Flaw in curl Patched in Record-Breaking '
'Security Release',
'type': ['Vulnerability Exploitation',
'Memory Corruption',
'Authentication Bypass',
'Credential Leak',
'Improper Host Validation'],
'vulnerability_exploited': ['CVE-2026-8932',
'CVE-2026-8925',
'CVE-2026-9547',
'CVE-2026-9080']}