Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Unrated

libcurl wrong connection reuse for different Negotiate services

IdentifiersCVE-2026-8458CWE-488

CVE-2026-8458 is a low-severity libcurl vulnerability in the connection reuse logic for HTTP Negotiate-authenticated requests. Due to a logical error, libcurl can reuse an already authenticated connection for a new request targeting the same host and port with the same credentials even when the new request specifies a different Negotiate service name. The intended service name may be set with CURLOPT_SERVICE_NAME or CURLOPT_PROXY_SERVICE_NAME, but prior to the fix this service value was not properly included in the reuse decision. As a result, a live pooled connection authenticated for one service could be incorrectly reused for another service. The issue affects libcurl versions 7.43.0 through 8.20.0 inclusive and does not affect the curl command-line tool. The flaw was introduced by commit 97c272e5d173ad5f706 and fixed in curl 8.21.0 by making connection reuse account for the service name.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause libcurl to bind a request to the wrong authenticated session context when using HTTP Negotiate, resulting in exposure of a data element to the wrong session. In practice, requests intended for one Negotiate service may be sent over a connection authenticated for a different service, which can lead to authentication context confusion and unintended access or disclosure within environments that rely on distinct service identities on the same server endpoint. The curl project rated the issue Low severity.

Mitigation

If you can’t patch tonight, do this now.

If patching or upgrading cannot be performed immediately, avoid using HTTP Negotiate in affected applications. Operationally, reducing or disabling connection reuse for affected workflows may also reduce exposure, but the primary vendor-recommended mitigations are upgrading, applying the patch, or avoiding HTTP Negotiate.

Remediation

Patch, then assume compromise.

Upgrade to curl/libcurl 8.21.0 or later, which fixes the reuse logic by including the Negotiate service name in connection matching decisions. If an immediate upgrade is not possible, apply the upstream patch corresponding to commit 5e99b73cf441d9c369768b9cd and rebuild libcurl.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyber security newsNews
Jun 25, 2026
25-Year-Old Vulnerability in curl Used by 30 Billion Devices Finally Patched

A curl/libcurl vulnerability caused by incorrect connection reuse across different services.

Read more
daniel haxx seNews
Jun 24, 2026
curl 8.21.0 | daniel.haxx.se

A low-severity curl/libcurl vulnerability involving improper connection reuse across different services.

Read more
curlNews
Jun 24, 2026
curl - wrong reuse for different services - CVE-2026-8458

A low-severity libcurl vulnerability where a logical error can cause reuse of an existing Negotiate-authenticated connection for a different service on the same host, port, and credentials, potentially exposing data to the wrong session.

Read more
curlNews
Jun 24, 2026
curl: [SECURITY ADVISORIES] for curl 8.21.0

A curl vulnerability involving incorrect connection reuse across different services.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-8458
NVD
nvd.nist.gov/vuln/detail/CVE-2026-8458
MITRE CWE · CWE-488
cwe.mitre.org