CVE-2026-8925 in Canonical and Haxx Products
Published on July 3, 2026
SASL double-free
The curl logic that works with SASL authentication could end up cleaning up
the GSASL context *twice* without clearing the pointer in between, making it
`free()` the same pointer twice.
Products Associated with CVE-2026-8925
stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Haxx Curl. Just hit a watch button to start following.
Affected Versions
curl:- Version 8.20.0, <= 8.20.0 is affected.
- Version 8.19.0, <= 8.19.0 is affected.
- Version 8.18.0, <= 8.18.0 is affected.
- Version 8.17.0, <= 8.17.0 is affected.
- Version 8.16.0, <= 8.16.0 is affected.
- Version 8.15.0, <= 8.15.0 is affected.