ALPINE-CVE-2026-8932

Source
https://security.alpinelinux.org/vuln/CVE-2026-8932
Import Source
https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-8932.json
JSON Data
https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-8932
Upstream
  • CVE-2026-8932
Published
2026-07-03T07:16:25.363Z
Modified
2026-07-04T09:30:04.973661850Z
Summary
[none]
Details

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse.

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

References

Affected packages

Alpine:v3.24 / curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.21.0-r0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-8932.json"