Connection Pool Reuse Flaw in libcurl Affects Multiple Products
CVE-2026-8932
What is CVE-2026-8932?
A vulnerability in libcurl arises from its connection pooling mechanism, where previously established connections can be reused despite changes to mTLS configuration settings. This flaw occurs because certain TLS parameters associated with client certificates are not adequately checked during the reuse process. Specifically, alterations related to the private key are not taken into account, potentially allowing unauthorized access or data leakage during secure connections. Users of libcurl should review their implementations to safeguard client certificates against inadvertent connection reuse.
Affected Version(s)
curl 8.20.0
curl 8.19.0
curl 8.18.0
News Articles
25-Year-Old Vulnerability in cURL Used by 30 Billion Devices Finally Patched - IT Security News
A critical security flaw lurking in curl for over 25 years has been patched, as part of a record-breaking security release that fixed 18 CVEs, the most ever issued in a single curl version. The vulnerability, CVE-2026-8932, was first shipped…Read more →
1 week ago
