CVE-2026-8925
N/A
N/A
Summary
The curl logic that works with SASL authentication could end up cleaning up
the GSASL context twice without clearing the pointer in between, making it
free() the same pointer twice.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| curl | curl | 8.20.0 <= 8.20.0 | affected |
| curl | curl | 8.19.0 <= 8.19.0 | affected |
| curl | curl | 8.18.0 <= 8.18.0 | affected |
| curl | curl | 8.17.0 <= 8.17.0 | affected |
| curl | curl | 8.16.0 <= 8.16.0 | affected |
| curl | curl | 8.15.0 <= 8.15.0 | affected |
Weaknesses
- CWE-415 Double Free
References
- https://curl.se/docs/CVE-2026-8925.json
- https://curl.se/docs/CVE-2026-8925.html
- https://hackerone.com/reports/3735193
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.