Curl maintainers have addressed 18 vulnerabilities in a recent update, with one bug dating back 25 years. Curl, a widely used open-source tool and library for transferring data over networks, runs on more than 30 billion devices. The vulnerabilities span authentication bypass, memory safety, and host validation issues within libcurl, as reported by Security Affairs.The update includes fixes for issues discovered through AI-assisted analysis, with AISLE identifying six CVEs, including the oldest known bug, CVE-2026-8932, which dates back to curl 7.7 in March 2001. This particular vulnerability allows libcurl to reuse an existing connection even after client certificate or private key settings have changed, potentially leading to authentication bypass. Other critical findings include credential confusion, double frees, use-after-free bugs, and improper host validation in areas like .netrc credential handling, SASL authentication, and SSH host validation.While the curl command-line tool is not directly affected by the CVE-2026-8932 flaw, applications integrating libcurl are vulnerable. Despite the significant number and age of these vulnerabilities, there have been no confirmed cases of real-world exploitation reported.Source: Security Affairs
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds