Skip to main content

curl / libcurl CVE-2026-8458

| EUVDEUVD-2026-41504 MEDIUM
6.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
4.8 MEDIUM

Network vector as curl operates over network; AC:H because wrong-reuse requires specific multi-service session conditions; C:L/I:L for potential context bleed, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
CVSS changed
Jul 06, 2026 - 18:22 NVD
6.5 (MEDIUM)
Analysis Generated
Jun 24, 2026 - 18:28 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Wrong connection reuse across different services in curl/libcurl up to 8.20.0 allows curl's connection pool to incorrectly match and reuse an existing connection when the target service differs from the one originally used to establish that connection. This is part of a coordinated batch of 19 CVEs fixed in curl 8.21.0, released June 24, 2026. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Application issues transfer to Service A
Delivery
Connection cached in libcurl pool
Exploit
Application requests transfer to different Service B
Execution
Flawed pool-matcher selects Service A connection
Persist
Transfer proceeds with wrong service context
Impact
Security controls (auth, TLS) for Service B silently bypassed

Vulnerability AssessmentAI

Exploitation Exploitation requires an application to use libcurl (not the curl command-line tool in single-transfer mode) with connection pooling active - the default - and to issue sequential or concurrent transfers targeting different services within the same session or multi-handle. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS score is not provided in the available data, but the curl project's own severity rating of LOW is the primary signal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application using libcurl in a long-lived session issues a transfer to Service A (e.g., an SFTP endpoint) followed by a transfer to Service B (e.g., an HTTPS endpoint on the same host but different port or protocol). Due to the flawed pool-matching logic, curl selects the existing connection from Service A and reuses it for the Service B transfer, potentially causing the wrong authentication material, TLS session, or protocol state to be applied. …
Remediation Upgrade curl and libcurl to version 8.21.0, released June 24, 2026, which resolves CVE-2026-8458 alongside 18 other security issues patched in the same coordinated release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Curl

View all
CVE-2013-0249 HIGH POC
7.5 Mar 08

Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7

CVE-2015-3145 HIGH
7.5 Apr 24

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which

CVE-2022-32221 CRITICAL POC
9.8 Dec 05

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t

CVE-2022-32207 CRITICAL POC
9.8 Jul 07

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the

CVE-2018-0500 CRITICAL POC
9.8 Jul 11

Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that mig

CVE-2023-23914 CRITICAL POC
9.1 Feb 23

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functional

CVE-2023-27534 HIGH POC
8.8 Mar 30

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly re

CVE-2023-27533 HIGH POC
8.8 Mar 30

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an atta

CVE-2025-0665 HIGH POC
7.0 Feb 05

A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, cau

CVE-2022-27778 HIGH POC
8.1 Jun 02

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used

CVE-2021-22901 HIGH POC
8.1 Jun 11

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when

CVE-2020-8177 HIGH POC
7.8 Dec 14

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead to

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

CVE-2026-8458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy