25-Year-Old Critical Flaw in curl Patched in Record-Breaking Security Release A historic security update for curl, the ubiquitous data transfer tool and library, patched 18 CVEs the most ever addressed in a single release including a 25-year-old critical vulnerability (CVE-2026-8932) that had persisted since March 2001. The flaws were disclosed in curl 8.21.0, released on June 24, 2026, following an unprecedented surge in vulnerability reports triggered by an initial AI-driven discovery. ### The Flaws & Their Impact The vulnerabilities span authentication bypasses, memory corruption, credential leaks, and improper host validation, with many affecting libcurl the embedded engine powering billions of devices, from IoT systems to CI/CD pipelines. Key issues include: - CVE-2026-8932 (mTLS connection reuse): A 25-year-old flaw allowing authentication bypass when client certificates change. - CVE-2026-8925 (SASL double-free): Memory corruption in SASL protocol flows. - CVE-2026-9547 (SSH host validation): Improper validation of rejected server keys via libssh. - CVE-2026-9080 (HTTP/2 use-after-free): Crashes when resetting HTTP/2 dependency handles. Most CVEs were rated Medium or Low severity, but their reach is vast libcurl’s embedded nature means many flaws are invisible to end users, leaving enterprise and IoT environments particularly exposed. ### AI’s Role in Discovery The wave of disclosures began on May 11, 2026, when Anthropic’s Mythos AI identified an initial CVE. This prompted a flood of reports, with AISLE, an AI-powered security platform, uncovering 6 of the 18 CVEs more than any other contributor. Other AI models (Anthropic, OpenAI) and researchers contributed additional findings. ### Broader Fixes & Future Changes Beyond security patches, curl 8.21.0 introduces: - Named globs for file uploads and HTTP/3 proxy enhancements. - Deprecation of outdated features, including HTTP/2 stream dependency tracking and NTLM/SMB/TLS-SRP (slated for removal). The release includes 276 bug fixes and 500+ commits from over 100 developers, reflecting the project’s ongoing maintenance challenges. ### Why It Matters With curl running on over 30 billion devices, these flaws especially those in libcurl pose systemic risks. Many embedded systems lack direct patching mechanisms, amplifying the urgency for organizations to update. The incident underscores the growing role of AI in vulnerability discovery and the long-tail risks of foundational software.