Release presentation

At 09:00 UTC (11:00 CEST) today I will do a traditional live-streamed release presentation of this release over on my Twitch channel.

Numbers

the 275th release
6 changes
56 days (total: 10,817)
276 bugfixes (total: 14,187)
531 commits (total: 39,077)
0 new public libcurl function (total: 100)
0 new curl_easy_setopt() option (total: 308)
1 new curl command line option (total: 274)
102 contributors, 69 new (total: 3,731)
45 authors, 26 new (total: 1,489)
18 security fixes (total: 206)

Security

As mentioned before, the security report volume has been intense lately. We publish eighteen new curl vulnerabilities this time. A new project record for a single release and for the total number of vulnerabilities published within the same calendar year.

As always, we have document each vulnerability in detail and I encourage you to read up on the details.

Severity Medium

• CVE-2026-8925: SASL double-free
• CVE-2026-8927: env-set cross-proxy Digest auth state leak
• CVE-2026-9079: stale proxy password leak
• CVE-2026-11856: cross-origin Digest auth state leak

Severity Low

• CVE-2026-8286: wrong STARTTLS connection reuse
• CVE-2026-8458: wrong reuse for different services
• CVE-2026-8924: trailing dot domain super cookie
• CVE-2026-8926: password leak with netrc and user in URL
• CVE-2026-8932: incomplete mTLS config matching in conn reuse
• CVE-2026-9080: UAF after pause in socket callback
• CVE-2026-9545: exposing HTTP/3 early data
• CVE-2026-9546: sending old referer
• CVE-2026-9547: SSH improper host validation
• CVE-2026-10536: HTTP/2 stream-dependency tree UAF
• CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop
• CVE-2026-11564: Native CA trust persist
• CVE-2026-11586: WS Auto-PONG memory exhaustion
• CVE-2026-12064: proto-default skips SSH verification

Changes

The huge focus on vulnerability reports during this release cycle made us merge fewer new features than we wanted, but here are the ones we still managed to get to:

• curl: named globs
• curl: named globs in output file name for uploads
• HTTP/3 proxy CONNECT and MASQUE CONNECT-UDP support
• removed HTTP/2 stream dependency tracking
• removed support for CURLAUTH_DIGEST_IE
• added support for SHA256 host public keys with libssh

Bugfixes

We again manage to land more than 250 separate bugfixes, and they are all detailed in the changelog.

Pending removals

Planned upcoming removals include:

• local crypto implementations
• NTLM
• SMB
• TLS-SRP support

If you are concerned about any of these, speak up on the curl-library list ASAP.

Next release

Unless we messed up this one and need to do a patch release, the pending next release is scheduled to happen on September 2. This release cycle is extended by two weeks due to the summer of bliss.