18 CVEs in a single release, heavy on connection reuse and auth state leaks—patch immediately if you use curl in production HTTP/HTTPS clients.
Summary
Connection pooling bugs (Digest auth state leak across proxies, stale password reuse, mTLS config mismatches) directly affect multi-request workflows. UAF and busy-loop issues in HTTP/2, HTTP/3, and QUIC can crash or hang applications under load.
Why it matters
Connection pooling bugs (Digest auth state leak across proxies, stale password reuse, mTLS config mismatches) directly affect multi-request workflows. UAF and busy-loop issues in HTTP/2, HTTP/3, and QUIC can crash or hang applications under load.
Implementation verdict
Mandatory upgrade for any curl-based HTTP client in production. Severity ranges from Medium (CVE-2026-8925 SASL double-free) to Low (CVE-2026-11586 WS Auto-PONG memory exhaustion), but the breadth of auth/proxy/connection reuse bugs argues for treating this as critical. Planned removals (NTLM, SMB, TLS-SRP, local crypto) signal deprecation—verify your usage now.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.