GHSA-m7xm-hf59-w6rj · Severity: high — libcurl would reuse a previously created connection even when some mTLS config related option had...
libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
Conclusion & alert: CVE-2026-8932 is rated Exploit Available (55.2/100): CVSS High severity, with low exploitation likelihood (EPSS 0.37%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-09 | 0.28% | 0.37% | +0.09% |
| 2 | 2026-07-07 | 0.13% | 0.28% | +0.15% |
| 3 | 2026-07-04 | — | 0.13% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-m7xm-hf59-w6rj · Severity: high — libcurl would reuse a previously created connection even when some mTLS config related option had...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-8932 not yet assigned priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 4, resolved 1. | https://security-tracker.debian.org/tracker/CVE-2026-8932 |
suse
|
high | CVE-2026-8932 severity important: SUSE including 9 source package names (curl-8.21.0-1.1, curl-fish-completion-8.21.0-1.1, …), 9 product×package rows across 1 product lines (openSUSE Tumbleweed): Fixed 9. | https://www.suse.com/security/cve/CVE-2026-8932/ |
ubuntu
|
low | CVE-2026-8932 low priority: Ubuntu including 1 source packages (curl), 9 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): needed 8, pending 1. | https://ubuntu.com/security/CVE-2026-8932 |
| URL | Tags |
|---|---|
| https://curl.se/docs/CVE-2026-8932.html | Patch Vendor Advisory |
| https://curl.se/docs/CVE-2026-8932.json | Vendor Advisory |
| https://hackerone.com/reports/3733910 | Exploit Issue Tracking Third Party Advisory |