25-Year-Old Vulnerability Patched in Curl 8.11.0
Curl 8.11.0 patches 18 vulnerabilities, including a 25-year-old heap overflow bug (CVE-2026-3620) introduced in 1999.
The curl project has released version 8.11.0, addressing 18 security vulnerabilities, among them a 25-year-old heap overflow flaw in the curl_easy_escape() function. Tracked as CVE-2026-3620, the bug was introduced in 1999 and could allow attackers to trigger a heap overflow when applications pass attacker-supplied length values to the function. The vulnerability affects a wide range of software that uses libcurl for URL encoding, potentially enabling remote code execution or denial of service.
In addition to the long-standing flaw, curl 8.11.0 fixes CVE-2026-3619, a hostname truncation issue via the user@port syntax, and CVE-2026-3618, a path traversal vulnerability that exploits percent-decoded hostnames. The remaining 15 vulnerabilities are rated medium or low severity, covering issues such as buffer overreads, integer overflows, and improper input validation. Users are strongly advised to upgrade to the latest version immediately.
The discovery of CVE-2026-3620 highlights the challenges of maintaining security in widely used open-source libraries over decades. Curl, maintained by Daniel Stenberg, is one of the most ubiquitous tools for data transfer, embedded in countless operating systems, IoT devices, and enterprise applications. The 25-year-old bug underscores how legacy code can harbor latent vulnerabilities that evade detection for years.
Security researchers have praised the curl team for its thorough patch cycle, which now includes automated fuzzing and static analysis to catch similar issues earlier. The project's commitment to transparency is evident in its detailed changelog and advisory process, which provides clear guidance for downstream distributors and end users.
Organizations relying on curl should prioritize updating to version 8.11.0, especially if they expose curl-based services to untrusted input. The patch is available for download from the official curl website and will be rolled out by major Linux distributions and package managers in the coming days. No active exploitation of these vulnerabilities has been reported yet, but the age and reach of the affected code make prompt action advisable.