{"id":30191,"date":"2026-06-24T08:00:23","date_gmt":"2026-06-24T06:00:23","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=30191"},"modified":"2026-06-24T12:04:49","modified_gmt":"2026-06-24T10:04:49","slug":"curl-8-21-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2026\/06\/24\/curl-8-21-0\/","title":{"rendered":"curl 8.21.0"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.21.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/yVXnTNINI2I?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\">the 275th release<br>6 changes<br>56 days (total: 10,817)<br>276 bugfixes (total: 14,187)<br>531 commits (total: 39,077)<br>0 new public libcurl function (total: 100)<br>0 new curl_easy_setopt() option (total: 308)<br>1 new curl command line option (total: 274)<br>102 contributors, 69 new (total: 3,731)<br>45 authors, 26 new (total: 1,489)<br>18 security fixes (total: 206)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/04\/22\/high-quality-chaos\/\">mentioned before<\/a>, the security report volume has been intense lately. We publish <em>eighteen<\/em> new curl vulnerabilities this time. A new project record for a single release and for the total number of vulnerabilities published within the same calendar year.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As always, we have document each vulnerability in detail and I encourage you to read up on the details.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Severity Medium<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-8925.html\">CVE-2026-8925<\/a>: SASL double-free<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-8927.html\">CVE-2026-8927<\/a>: env-set cross-proxy Digest auth state leak<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-9079.html\">CVE-2026-9079<\/a>: stale proxy password leak<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-11856.html\">CVE-2026-11856<\/a>: cross-origin Digest auth state leak<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Severity Low<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-8286.html\">CVE-2026-8286<\/a>: wrong STARTTLS connection reuse<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-8458.html\">CVE-2026-8458<\/a>: wrong reuse for different services<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-8924.html\">CVE-2026-8924<\/a>: trailing dot domain super cookie<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-8926.html\">CVE-2026-8926<\/a>: password leak with netrc and user in URL<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-8932.html\">CVE-2026-8932<\/a>: incomplete mTLS config matching in conn reuse<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-9080.html\">CVE-2026-9080<\/a>: UAF after pause in socket callback<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-9545.html\">CVE-2026-9545<\/a>: exposing HTTP\/3 early data<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-9546.html\">CVE-2026-9546<\/a>: sending old referer<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-9547.html\">CVE-2026-9547<\/a>: SSH improper host validation<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-10536.html\">CVE-2026-10536<\/a>: HTTP\/2 stream-dependency tree UAF<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-11352.html\">CVE-2026-11352<\/a>: QUIC zero-length UDP datagrams busy-loop<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-11564.html\">CVE-2026-11564<\/a>: Native CA trust persist<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-11586.html\">CVE-2026-11586<\/a>: WS Auto-PONG memory exhaustion<\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-12064.html\">CVE-2026-12064<\/a>: proto-default skips SSH verification<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The huge focus on vulnerability reports during this release cycle made us merge fewer new features than we wanted, but here are the ones we still managed to get to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>curl: <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/05\/16\/named-globs-with-curl\/\" data-type=\"post\" data-id=\"29654\">named globs<\/a><\/li>\n\n\n\n<li>curl: named globs in output file name for uploads<\/li>\n\n\n\n<li>HTTP\/3 proxy CONNECT and MASQUE CONNECT-UDP support<\/li>\n\n\n\n<li>removed HTTP\/2 stream dependency tracking<\/li>\n\n\n\n<li>removed support for CURLAUTH_DIGEST_IE<\/li>\n\n\n\n<li>added support for SHA256 host public keys with libssh<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We again manage to land more than 250 separate bugfixes, and they are all detailed in <a href=\"https:\/\/curl.se\/ch\/\">the changelog<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pending removals<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Planned upcoming removals include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>local crypto implementations<\/li>\n\n\n\n<li>NTLM<\/li>\n\n\n\n<li>SMB<\/li>\n\n\n\n<li>TLS-SRP support<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If you are concerned about any of these, speak up on the <a href=\"https:\/\/curl.se\/mail\/list.cgi?list=curl-library\">curl-library list<\/a> ASAP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Next release<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Unless we messed up this one and need to do a patch release, the pending next release is scheduled to happen on September 2. This release cycle is extended by two weeks due to <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/06\/15\/curl-summer-of-bliss\/\" data-type=\"post\" data-id=\"29983\">the summer of bliss<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Release presentation Numbers the 275th release6 changes56 days (total: 10,817)276 bugfixes (total: 14,187)531 commits (total: 39,077)0 new public libcurl function (total: 100)0 new curl_easy_setopt() option (total: 308)1 new curl command line option (total: 274)102 contributors, 69 new (total: 3,731)45 authors, 26 new (total: 1,489)18 security fixes (total: 206) Security As mentioned before, the security report &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/06\/24\/curl-8-21-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.21.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":30204,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-30191","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=30191"}],"version-history":[{"count":14,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30191\/revisions"}],"predecessor-version":[{"id":30287,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30191\/revisions\/30287"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/30204"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=30191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=30191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=30191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}