CVE-2026-8925

CRITICAL

curl - SASL Double-Free

Title source: rule
STIX 2.1

Description

The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.

Scores

CVSS v3 9.8
EPSS 0.0108
EPSS Percentile 61.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-415
Status published
Products (7)
curl/curl 8.15.0
curl/curl 8.16.0
curl/curl 8.17.0
curl/curl 8.18.0
curl/curl 8.19.0
curl/curl 8.20.0
haxx/curl 8.15.0 - 8.21.0
Published Jul 03, 2026
Tracked Since Jul 03, 2026