Welcome to #curl 8.19.0
https://daniel.haxx.se/blog/2026/03/11/curl-8-19-0/
8 changes, 4 vulnerabilities and 264 bugs fixed. Enjoy!
(The 4 new CVEs are explained in follow-up toots.)
3
Discussion
Loading...
Discussion
The live-streamed video presentation about this #curl release starts in less than two hours at https://www.twitch.tv/curlhacker
curlhacker - Twitch
Twitch
CVE-2026-1965: bad reuse of HTTP Negotiate connection
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.
1
CVE-2026-3783: token leak with redirect and netrc
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.
1
CVE-2026-3784: wrong proxy connection reuse with credentials
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
1
CVE-2026-3805: use after free in SMB connection reuse
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
1
As always with curl CVEs, no other resource has the level of detail and exactness about the flaws like the documentation provided at curl.se
1
@bagder Hi Daniel, are you the one who is deciding whether some bug in curl is a CVE or not? As we all know CVE is "just" some other guy's database. And you and your project had a lot of trouble being bombarded by nonsense CVEs in the past.
So, I want to ask: Has the situation improved since then? Are you the authority over curl CVE now?
Gnar 🔥 social
This is a Bonfire Federated social instance for those that enjoy gnarly adventures. Whether it's shredding mountains or slaying guitars, from action sports to art.
Automatic federation enabled