CVE-2026-8932

unknown
Published 2026-07-03 ยท Modified 2026-07-03
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
โ€”

Description

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker ยท View original โ†— ยท DFSG

CVE-2026-8932 NameCVE-2026-8932 SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus curl (PTS)bullseye7.74.0-1.3+deb11u13vulnerable bullseyeโ€ฆ

CVE-2026-8932

NameCVE-2026-8932
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u13vulnerable
bullseye (security)7.74.0-1.3+deb11u16vulnerable
bookworm7.88.1-10+deb12u14vulnerable
bookworm (security)7.88.1-10+deb12u5vulnerable
trixie8.14.1-2+deb13u3vulnerable
forky8.20.0-5vulnerable
sid8.21.0~rc3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsource(unstable)8.21.0~rc2-1

Notes

[trixie] - curl <no-dsa> (Minor issue)
https://curl.se/docs/CVE-2026-8932.html
Introduced with: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (curl-7_7)
Fixed by: https://github.com/curl/curl/commit/7541ae569d82fb308a5e2d94916027da4fa3ba3e (rc-8_21_0-1, curl-8_21_0)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[trixie] - curl <no-dsa> (Minor issue)https://curl.se/docs/CVE-2026-8932.htmlIntroduced with: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (curl-7_7)Fixed by: https://github.com/curl/curl/commit/7541ae569d82fb308a5e2d94916027da4fa3ba3e (rc-8_21_0-1, curl-8_21_0)

OS impact

suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”
debian Debian Mixed 5 releases
VersionStatusFixed in
trixie Affected โ€”
sid Fixed 8.21.0~rc2-1
forky Affected โ€”
bullseye Affected โ€”
bookworm Affected โ€”

References

CWEs

CWE-305

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.