THE curl project has issued an update that patches eighteen vulnerabilities in its library, including a flaw that has remained unfixed for twenty‑five years according to SecurityAffairs. The update addresses issues ranging from authentication bypass to memory safety problems in libcurl, a component present in more than thirty billion devices.
The oldest flaw, tracked as CVE-2026-8932, resides in the connection reuse logic where a change to the client certificate may be ignored, potentially allowing an attacker to bypass authentication as detailed in the advisory. Other vulnerabilities patched include double free, use‑after‑free and credential confusion issues, several of which affect how libcurl handles TLS sessions and proxy connections. No CVSS score has been assigned to CVE-2026-8932 in the current release.
The discoveries were made using AI‑assisted analysis by the vulnerability management firm Aisle, which scanned the codebase for patterns indicative of memory safety lapses and logic errors as reported by SecurityWeek. Because libcurl is embedded in everything from smartphones to industrial controllers, the combined user base exceeds thirty billion instances.
So far there is no evidence that any of these bugs have been exploited in the wild and no threat actor has been linked to the flaws. The connection reuse issue dates back to the late 1990s, meaning it persisted through multiple generations of software and hardware updates.
The episode shows how long‑lived components can hide defects for decades, even as they are continuously reused across platforms. It also illustrates that modern bug‑finding techniques, including machine learning aided reviews, are capable of uncovering such deep‑seated issues before they are abused.
Defenders should prioritize upgrading to the latest curl release and rebuilding any applications that statically or dynamically link against libcurl to ensure the patched code is in use. Administrators must verify that TLS client certificate rotation is honoured by their services and watch authentication logs for unexpected successful logins that could indicate an attempt to abuse the connection reuse flaw.
Additionally it is prudent to review third‑party dependencies for older curl versions consider disabling connection reuse in environments where it is not required and subscribe to the curl security mailing list to receive timely notice of future advisories.