Security0 views

Oldest Ever cURL Vulnerability Patched After 24 Years

Researchers have uncovered a security flaw in cURL that has persisted since 2001, effectively becoming the oldest vulnerability ever identified in the widely used tool. Designated as CVE-2026-8932, the bug occurs within libcurl when it incorrectly reuses an existing connection even after critical authentication settings—such as client certificates or private keys—have been modified. This failure to reset connection states poses a significant risk for applications relying on secure, segregated sessions.

Technical details indicate that the issue spans decades of releases, but a fix is now available in cURL version 8.21.0. Beyond this legacy bug, the update addresses a broader security surface including:

  • A total of 18 new CVEs resolved in this single release.
  • Specific patches for connection pooling logic failures.
  • Stability improvements for libcurl integration.

System administrators and developers should prioritize upgrading to the latest version immediately to mitigate these risks. Information regarding the full scope of the patches was highlighted by the AISLE blog and the technical community at TabNews, signaling a major maintenance milestone for one of the internet’s most fundamental open-source libraries.