Curl's June 24, 2026 release (8.21.0) shipped patches for 18 CVEs, the highest count ever for a single curl release. AISLE's research team accounted for 6 of those - more than any other organization, and more than Anthropic's Mythos model or OpenAI's models combined.
A 25-Year-Old Bug That Survived 25 Curl Versions
CVE-2026-8932 is the oldest curl security issue ever reported. It first shipped in curl 7.7 on March 22, 2001 - a lifetime ago in internet years. The bug lives in mTLS connection reuse: libcurl could reuse an existing connection even after client certificate or private key settings changed, effectively bypassing authentication. It sat dormant across 25 years of releases because the code path is obscure, only triggered when an application changes TLS credentials mid-session. That's exactly the kind of edge case that survives manual auditing.
Beyond the Command Line: Hidden libcurl Attack Surface
Several of AISLE's findings target libcurl, not the curl CLI. That matters because libcurl is embedded in operating systems, CI pipelines, package managers, and appliances - code that users never touch directly. CVE-2026-8925 is a double-free in SASL authentication flows. CVE-2026-8926 lets curl pick a wrong password from .netrc when a URL supplies a username but no password. CVE-2026-9547 allows SSH host key validation bypass when using libssh. Each of these exploits a state transition or callback behavior that's easy to miss in code review but trivial to weaponize once found.
Model-Agnostic Security Beats Frontier Models on the Bench
AISLE's platform found these vulnerabilities without relying on any single frontier model. The next-closest AI-powered organization found 3 CVEs; Anthropic and OpenAI models each found 1. AISLE also generated patches for three of the bugs. Their approach - matching model capability to the specific security task, running entirely on-premises - outperformed far larger and more expensive LLMs. This suggests that for well-defined vulnerability research, the bottleneck isn't compute, but engineering: designing pipelines that can navigate old protocol paths, callback chains, and credential selection logic better than a general-purpose chatbot. AISLE has been sending findings to the curl project since fall 2025, with 29 valid findings and 5 CVEs in that earlier batch. The 8.21.0 release brings the total to 11 CVEs from AISLE alone.
Every curl user should update to 8.21.0 tonight. The next wave of vulnerabilities in mature infrastructure will come from specialized systems that know exactly where to look - not just bigger models with more parameters.
Source: Aisle Discovers 6 New CVEs in Curl, Including the Oldest Issue Ever Reported
Domain: aisle.com
Comments load interactively on the live page.