A critical security flaw that has existed in curl for over 25 years has been patched in the latest release, marking a significant milestone in the tool’s history. This update addresses 18 vulnerabilities, the highest number ever fixed in a single curl version.
curl, a widely-used command-line tool and library for data transfers, is integral to numerous systems and devices. It operates on over 30 billion devices, facilitating data transfers across various platforms, including operating systems, containers, CI/CD pipelines, package managers, SDKs, and automotive systems. Many users interact with curl indirectly through libcurl, the embedded engine in countless products, making vulnerabilities in this library particularly concerning and challenging to detect.
The recent wave of vulnerability discoveries began on May 11, 2026, when Anthropic’s Mythos AI model identified a single CVE in curl. This disclosure led to an unprecedented influx of security reports targeting the curl project. Ultimately, 18 CVEs were issued for the curl 8.21.0 release, setting a record for any single curl version.
Among the vulnerabilities addressed is CVE-2026-8932, an mTLS connection reuse issue that could lead to authentication bypass. This flaw was introduced in curl version 7.7, released on March 22, 2001, making it the oldest curl security issue ever reported. The vulnerability allowed libcurl to reuse an existing connection even after client certificate or private key settings had changed, potentially leading to unauthorized access.
Several of these vulnerabilities exclusively affect libcurl, not the curl command-line tool itself. This means they exist deep inside embedded products where end users have no visibility and no direct ability to patch them. Attack surfaces are reachable through application behavior, making these findings especially significant for enterprise and IoT environments.
Beyond the CVEs, additional memory safety issues were disclosed, including a heap out-of-bounds read in urlapi and use-after-free/double-free bugs in HSTS handling, all reported via HackerOne. These findings underscore the importance of continuous security assessments and the need for organizations to stay vigilant in updating and securing their software components.
The discovery and patching of these vulnerabilities highlight the critical role of community efforts and advanced tools in identifying and addressing long-standing security issues. As curl continues to be a foundational component in numerous systems, ensuring its security is paramount to maintaining the integrity and safety of the broader technological ecosystem.
