Curl Fixes a 25-Year-Old Bug in Its Largest CVE Release Yet
June 25, 2026 
Curl fixed 18 vulnerabilities, including a 25-year-old bug, with issues spanning auth bypass, memory safety, and host validation in libcurl.
Curl maintainers addressed eighteen vulnerabilities with a single update, and one of them goes back 25 years. That’s not a typo, it really sat there since the early 2000s. curl is a widely used open-source tool and library for transferring data over networks, it runs on more than 30 billion devices.
On May 11, 2026, curl’s lead developer said Anthropic’s Mythos found only one CVE. Later, Aisle and other organizations further analyzed the tool, uncovering 18 additional issues.
“AISLE led all security organizations with 6 of those 18 CVEs, plus additional valid findings, across curl and libcurl. The next-closest AI-powered organization received 3 CVEs, while researchers using Anthropic and OpenAI models found 1 each.” reads the report published by AISLE. “These discoveries provide further validation that AISLE’s model-agnostic system can outperform frontier models at a fraction of the cost, in any deployment environment.”
The interesting part isn’t just the volume of fixes. It’s what they say about how curl has evolved. Most of the obvious bugs are gone, so what’s left lives in weird corners of state handling, old protocol paths, and reused connections that don’t always behave the way you expect.
AISLE found 6 new curl CVEs, including memory and logic bugs in libcurl, and the oldest known issue, tracked as CVE-2026-8932, dating back to curl 7.7 in March 2001.
“libcurl could reuse an existing connection even after client certificate or private key settings had changed (authentication bypass).” reads the advisory.
That CVE matters because it hits libcurl behavior around connection reuse. In practice, it means a client certificate or key change might not be respected if an existing connection is reused. curl the command-line tool is not affected, but libcurl integrations in applications are.
What stands out is the detection angle. AI-assisted analysis didn’t just find one issue, it surfaced a cluster across credential handling, memory safety, and host validation. That includes credential confusion, double frees, use-after-free bugs, and improper host checks.
At this point, curl isn’t getting “easy wins” anymore. The remaining issues live in logic, not syntax. That’s why researchers keep circling back, and why tools like AI analysis are starting to matter more in review workflows than traditional scanning alone.
And yet, despite the scale and the reach of curl in billions of devices, there’s still no confirmed case of real-world exploitation of these flaws. That’s either reassuring, or just a reminder that the hardest bugs are the ones nobody notices until they finally do.
Below is the list of vulnerabilities discovered by AISLE:
| Finding | Area | What happened |
|---|---|---|
| CVE-2026-8926 | .netrc credential handling |
curl could select a password belonging to a different user for the same host when the URL supplied a username but no password (credential confusion). |
| CVE-2026-8925 | SASL authentication | curl could clean up and free the same GSASL context twice in SASL-enabled protocol flows (double free). |
| CVE-2026-8932 | mTLS connection reuse | libcurl could reuse an existing connection even after client certificate or private key settings had changed (authentication bypass). |
| CVE-2026-9080 | Multi socket callback lifecycle | calling curl_easy_pause() inside a socket callback could leave libcurl writing through a freed internal pointer (use after free). |
| CVE-2026-9547 | SSH host validation | with the libssh backend, SCP/SFTP transfers using a host-key callback could accept a server key type that should have been rejected (improper host validation). |
| CVE-2026-10536 | HTTP/2 stream dependencies | resetting and then cleaning up a handle using HTTP/2 dependency options could cause libcurl to touch already-freed state (use after free). |
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2026-8932)
Stephan is the sports journalist for the Maple Grove Report.
