CVE-2026-8458

MEDIUM

curl - Wrong Reuse for Different Services

Title source: rule
STIX 2.1

Description

libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.

Scores

CVSS v3 6.5
EPSS 0.0054
EPSS Percentile 41.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

Status published
Products (50)
curl/curl 7.43.0
curl/curl 7.44.0
curl/curl 7.45.0
curl/curl 7.46.0
curl/curl 7.47.0
curl/curl 7.47.1
curl/curl 7.48.0
curl/curl 7.49.0
curl/curl 7.49.1
curl/curl 7.50.0
... and 40 more
Published Jul 03, 2026
Tracked Since Jul 03, 2026