curl 8.21.0 Patches Record 18 Vulnerabilities in Single Release
On June 24, 2026, the curl project released version 8.21.0, addressing a record 18 security vulnerabilities the highest number fixed in a single update for the widely used data transfer tool. This milestone brings the total number of publicly disclosed curl vulnerabilities to 206 since the project’s inception.
The update includes fixes for critical issues such as credential leakage, memory corruption in WebSocket handling, and use-after-free (UAF) vulnerabilities in HTTP/2 and socket callbacks. Among the patched flaws, four were rated Medium severity, including:
- CVE-2026-8925: A SASL double-free bug leading to memory corruption during authentication.
- CVE-2026-8927: An environment-set cross-proxy Digest auth state leak exposing credentials.
- CVE-2026-9079: A stale proxy password leak risking unintended credential reuse.
- CVE-2026-11856: A cross-origin Digest authentication state leak allowing unauthorized access.
The remaining 14 vulnerabilities were classified as Low severity but still pose risks, such as denial-of-service (DoS) via WebSocket memory exhaustion (CVE-2026-11586), SSH host verification bypasses (CVE-2026-9547), and HTTP/3 data exposure (CVE-2026-9545). Other fixes address connection reuse flaws, QUIC UDP datagram loops, and persistent CA trust issues.
Despite the security focus, the release introduces new features, including named glob support for URL patterns, HTTP/3 proxy CONNECT, and SHA-256 host public key support via libssh. It also deprecates HTTP/2 stream dependency tracking, NTLM, SMB, and TLS-SRP support, with plans to remove them in future versions.
The next curl release is scheduled for September 2, 2026, following a two-week extension to the development cycle. Organizations relying on curl or libcurl are advised to upgrade immediately to mitigate risks from credential exposure and memory corruption.
Source: https://cyberpress.org/curl-patches-18-vulnerabilities/
curl project TPRM report: https://www.rankiteo.com/company/the-curl-project
"id": "the1782398225",
"linkid": "the-curl-project",
"type": "Vulnerability",
"date": "6/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Organizations and users relying '
'on curl or libcurl',
'industry': 'Technology/Software Development',
'name': 'curl project',
'type': 'Open-source software'}],
'customer_advisories': 'Users of curl or libcurl should apply the update to '
'avoid exploitation of the disclosed vulnerabilities.',
'data_breach': {'personally_identifiable_information': 'Potential (via '
'credential leaks)',
'sensitivity_of_data': 'High (credentials, PII risks)',
'type_of_data_compromised': 'Credentials, authentication '
'states, memory data'},
'date_publicly_disclosed': '2026-06-24',
'date_resolved': '2026-06-24',
'description': 'On June 24, 2026, the curl project released version 8.21.0, '
'addressing a record 18 security vulnerabilities, the highest '
'number fixed in a single update for the widely used data '
'transfer tool. This milestone brings the total number of '
'publicly disclosed curl vulnerabilities to 206 since the '
'project’s inception. The update includes fixes for critical '
'issues such as credential leakage, memory corruption in '
'WebSocket handling, and use-after-free (UAF) vulnerabilities '
'in HTTP/2 and socket callbacks.',
'impact': {'data_compromised': 'Credentials, memory corruption, unauthorized '
'access, denial-of-service, SSH host '
'verification bypass, HTTP/3 data exposure',
'identity_theft_risk': 'High (due to credential leakage and PII '
'exposure risks)',
'operational_impact': 'Potential unauthorized access, credential '
'exposure, memory corruption, and '
'denial-of-service',
'systems_affected': 'Systems using curl or libcurl'},
'investigation_status': 'Completed',
'post_incident_analysis': {'corrective_actions': 'Patching vulnerabilities, '
'deprecating insecure '
'features (e.g., NTLM, SMB, '
'TLS-SRP), and introducing '
'new security features '
'(e.g., SHA-256 host public '
'key support).',
'root_causes': 'Software vulnerabilities in '
'curl/libcurl, including memory '
'corruption, credential leaks, and '
'authentication state leaks.'},
'recommendations': 'Organizations relying on curl or libcurl are advised to '
'upgrade immediately to mitigate risks from credential '
'exposure and memory corruption.',
'references': [{'date_accessed': '2026-06-24',
'source': 'curl project release notes'}],
'response': {'communication_strategy': 'Public disclosure of vulnerabilities '
'and release notes',
'containment_measures': 'Patching vulnerabilities in curl 8.21.0',
'remediation_measures': 'Immediate upgrade to curl 8.21.0'},
'stakeholder_advisories': 'Upgrade to curl 8.21.0 immediately.',
'title': 'curl 8.21.0 Patches Record 18 Vulnerabilities in Single Release',
'type': 'Vulnerability Disclosure',
'vulnerability_exploited': ['CVE-2026-8925',
'CVE-2026-8927',
'CVE-2026-9079',
'CVE-2026-11856',
'CVE-2026-11586',
'CVE-2026-9547',
'CVE-2026-9545']}