curl 8.21.0 patches a record 18 CVEs — one hidden 25 years, most found by AI
TL;DR
curl 8.21.0 fixes 18 CVEs at once — a single-release record. One had been hiding since 2001, and at least 11 were found by AI models, including 6 from AISLE alone.
curl 8.21.0 shipped on June 24 with 18 CVEs fixed in a single release — both a single-version record and a single-year record. curl's lifetime CVE count is barely over 200 (since 1996), and this release closes ~9% of it.
The interesting bit is who found them. AISLE reported 6 alone, an unnamed AI company reported 3, and Anthropic and OpenAI researchers reported 1 each. At least 11 of 18 came from AI models. For comparison, the prior 30 years of curl bug discovery relied on OSS-Fuzz, manual audit, and bug bounties to find ~200 bugs.
The most striking is CVE-2026-8932: an mTLS connection reuse authentication bypass, found by AISLE, that first shipped in curl 7.7 — released March 22, 2001. Hidden 25 years, surviving at least 4 major security audits.
Highlights: CVE-2026-8925 (SASL auth double-free → UAF), CVE-2026-10536 (HTTP/2 stream dependencies UAF on malicious server response), CVE-2026-9547 (SSH host verification bypass — critical for anyone using libcurl for git-over-SSH or scp automation).
Why it matters: libcurl is among the most-embedded networking libraries in existence — Linux package managers, car infotainment, IoT firmware, smart speakers, Postman. Stenberg estimates 30+ billion installs. One update covers nearly the entire connected-device attack surface.
AISLE's methodology is worth a memo: model-agnostic, runs offline, no frontier model API. «For well-defined security tasks, smaller models can beat the more expensive larger LLMs.»
Action: ship 8.21.0 to every container, image, and firmware that links libcurl. No waiting for next quarter. Another wave is likely — AISLE is running the same pipeline against OpenSSL and nginx.
via Daniel Stenberg Blog / AISLE
The interesting bit is who found them. AISLE reported 6 alone, an unnamed AI company reported 3, and Anthropic and OpenAI researchers reported 1 each. At least 11 of 18 came from AI models. For comparison, the prior 30 years of curl bug discovery relied on OSS-Fuzz, manual audit, and bug bounties to find ~200 bugs.
The most striking is CVE-2026-8932: an mTLS connection reuse authentication bypass, found by AISLE, that first shipped in curl 7.7 — released March 22, 2001. Hidden 25 years, surviving at least 4 major security audits.
Highlights: CVE-2026-8925 (SASL auth double-free → UAF), CVE-2026-10536 (HTTP/2 stream dependencies UAF on malicious server response), CVE-2026-9547 (SSH host verification bypass — critical for anyone using libcurl for git-over-SSH or scp automation).
Why it matters: libcurl is among the most-embedded networking libraries in existence — Linux package managers, car infotainment, IoT firmware, smart speakers, Postman. Stenberg estimates 30+ billion installs. One update covers nearly the entire connected-device attack surface.
AISLE's methodology is worth a memo: model-agnostic, runs offline, no frontier model API. «For well-defined security tasks, smaller models can beat the more expensive larger LLMs.»
Action: ship 8.21.0 to every container, image, and firmware that links libcurl. No waiting for next quarter. Another wave is likely — AISLE is running the same pipeline against OpenSSL and nginx.
via Daniel Stenberg Blog / AISLE
