Curl's largest security release fixes 18 flaws, including a 25-year-old bug
The curl project shipped its largest-ever security release, version 8.21.0, fixing 18 vulnerabilities, among them a flaw that had gone unnoticed for 25 years. That bug (CVE-2026-8932) lets an application reuse an existing connection even after its client certificate or key changed, allowing an authentication bypass; it affects software built on the libcurl library rather than the command-line tool. Other fixes address credential confusion, memory-corruption bugs, and improper host validation. Most are rated medium or low, but libcurl is embedded in an enormous range of products, from IoT devices to CI/CD pipelines and cars, so the practical reach is large and easy to overlook.
- Check
- Identify where curl and especially the libcurl library are used across your applications, devices, containers, and build pipelines, since most exposure comes from embedded libcurl rather than the command-line tool.
- Affected
- Applications and devices built on libcurl before version 8.21.0 (CVE-2026-8932 and others); those using mutual TLS with changing client certificates face an authentication-bypass risk through connection reuse.
- Fix
- Update to curl and libcurl 8.21.0, rebuild and redeploy software that bundles libcurl, and prioritize systems using mutual TLS or handling credentials, including embedded and IoT devices that update slowly.