CURL-CVE-2026-8458
- Source
- https://curl.se/docs/CVE-2026-8458.html
- Import Source
- https://curl.se/docs/CURL-CVE-2026-8458.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2026-8458
- Aliases
-
- CVE-2026-8458
- Published
- 2026-06-24T08:00:00Z
- Modified
- 2026-06-24T14:05:45.463439Z
- Summary
- wrong reuse for different services
- Details
-
libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different "services".
libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.
When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
- Database specific
{ "package": "curl", "URL": "https://curl.se/docs/CVE-2026-8458.json", "last_affected": "8.20.0", "issue": "https://hackerone.com/reports/3721183", "affects": "lib", "severity": "Low", "www": "https://curl.se/docs/CVE-2026-8458.html", "CWE": { "desc": "Exposure of Data Element to Wrong Session", "id": "CWE-488" } }- References
-
- Credits
-
-
- Muhamad Arga Reksapati - FINDER
-
- Stefan Eissing - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.43.0Fixed8.21.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0
7.88.0
7.88.1
8.*
8.0.0
8.0.1
8.1.0
8.1.1
8.1.2
8.10.0
8.10.1
8.11.0
8.11.1
8.12.0
8.12.1
8.13.0
8.14.0
8.14.1
8.15.0
8.16.0
8.17.0
8.18.0
8.19.0
8.2.0
8.2.1
8.20.0
8.3.0
8.4.0
8.5.0
8.6.0
8.7.0
8.7.1
8.8.0
8.9.0
8.9.1
Other
curl-7_43_0
curl-7_44_0
curl-7_45_0
curl-7_46_0
curl-7_47_0
curl-7_47_1
curl-7_48_0
curl-7_49_0
curl-7_49_1
curl-7_50_0
curl-7_50_1
curl-7_50_2
curl-7_50_3
curl-7_51_0
curl-7_52_0
curl-7_52_1
curl-7_53_0
curl-7_53_1
curl-7_54_0
curl-7_54_1
curl-7_55_0
curl-7_55_1
curl-7_56_0
curl-7_56_1
curl-7_57_0
curl-7_58_0
curl-7_59_0
curl-7_60_0
curl-7_61_0
curl-7_61_1
curl-7_62_0
curl-7_63_0
curl-7_64_0
curl-7_64_1
curl-7_65_0
curl-7_65_1
curl-7_65_2
curl-7_65_3
curl-7_66_0
curl-7_67_0
curl-7_68_0
curl-7_69_0
curl-7_69_1
curl-7_70_0
curl-7_71_0
curl-7_71_1
curl-7_72_0
curl-7_73_0
curl-7_74_0
curl-7_75_0
curl-7_76_0
curl-7_76_1
curl-7_77_0
curl-7_78_0
curl-7_79_0
curl-7_79_1
curl-7_80_0
curl-7_81_0
curl-7_82_0
curl-7_83_0
curl-7_83_1
curl-7_84_0
curl-7_85_0
curl-7_86_0
curl-7_87_0
curl-7_88_0
curl-7_88_1
curl-8_0_0
curl-8_0_1
curl-8_10_0
curl-8_10_1
curl-8_11_0
curl-8_11_1
curl-8_12_0
curl-8_12_1
curl-8_13_0
curl-8_14_0
curl-8_14_1
curl-8_15_0
curl-8_16_0
curl-8_17_0
curl-8_18_0
curl-8_19_0
curl-8_1_0
curl-8_1_1
curl-8_1_2
curl-8_20_0
curl-8_2_0
curl-8_2_1
curl-8_3_0
curl-8_4_0
curl-8_5_0
curl-8_6_0
curl-8_7_0
curl-8_7_1
curl-8_8_0
curl-8_9_0
curl-8_9_1
rc-8_18_0-1
rc-8_18_0-2
rc-8_18_0-3
rc-8_19_0-1
rc-8_19_0-2
rc-8_19_0-3
rc-8_20_0-1
rc-8_20_0-2
rc-8_20_0-3
tiny-curl-7_72_0
tiny-curl-8_4_0
Database specific
source
"https://curl.se/docs/CURL-CVE-2026-8458.json"
vanir_signatures_modified
"2026-06-24T14:05:45Z"
vanir_signatures
[
{
"target": {
"file": "lib/vauth/ntlm.c"
},
"id": "CURL-CVE-2026-8458-05674c9d",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"131133269132561604980160935777623914227",
"236643273924206828746213736897287979489",
"13992128071164298375871385942225218502",
"238854585901285710447431180099839543713",
"68957354415944429458175027683812603475",
"327567988807598174500690090899872797105",
"46578820557026532549426217570065109776"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/curl_sasl.c"
},
"id": "CURL-CVE-2026-8458-08a0f976",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"296070965643488545793586696389321613146",
"226363162214976162041645392435241839430",
"133151777568722917704448403638726174988",
"23840144978261541419604265686509791934",
"297749191289701577660184769099886424031",
"338885930668614050968455274869169118907",
"93807122643920341090003180276561746387",
"104808351523164052800123753910941378630",
"317259938674191808806233654509170561136",
"328355046187445104393222718008922990566",
"188243137080258304082595182158798760030",
"198176376429589720981425952787034519771",
"91087344036793321675363937914998562070",
"135823895432989842061839298862040398677",
"234930312166517267681412261277992021861",
"332454232719863739433294540348859190500",
"250747626911285282984951431730851199565",
"183642911914975550270746040748316794206",
"182617858873447228927906591931287952118",
"116229107719170247529113448491006433887",
"278260329771185342187890897848625623258",
"120488176101434928231608273244039016153",
"712106685140149537302548640363846201",
"102910363378525632099868743205849447236",
"68979858568244644663652464481703603356",
"257502889359625148799103889252687263202",
"167286264412726464904471259787801865712",
"288106997428353368249655655177256542558",
"179063757513162494933698705836643658877",
"285191138722892922408194289580789801870",
"83945959734380226540789905739926703262",
"134986461706924501481129061926950287112",
"128582469435340518859335404731315394943"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/curl_sasl.c",
"function": "Curl_sasl_continue"
},
"id": "CURL-CVE-2026-8458-0c999af5",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 4890.0,
"function_hash": "184381756317090533378747060868130995288"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/spnego_gssapi.c"
},
"id": "CURL-CVE-2026-8458-0cd614b1",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"30605879100500437507856373944605254832",
"337027118988515764330638184673270102903",
"85887358452963428903011354564335339882",
"215337797396709220790280947467406375611",
"337815262753453648733916956437942101822",
"115256794223216950070804860010701882609",
"45426469797407475448254842047543600506"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "tests/unit/unit1304.c"
},
"id": "CURL-CVE-2026-8458-0d85be17",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"109532323053949467231115586568332907621",
"222002067558750143249081776298141482609",
"311521466985697410646809202280248446895",
"38973899648068879797454711447029941266"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/krb5_sspi.c",
"function": "Curl_auth_create_gssapi_user_message"
},
"id": "CURL-CVE-2026-8458-133b3e59",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2972.0,
"function_hash": "82327947277019586702754338708573347183"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/openldap.c",
"function": "oldap_perform_bind"
},
"id": "CURL-CVE-2026-8458-196dda7a",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 712.0,
"function_hash": "334394234275027321592874715888930185260"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/krb5_gssapi.c"
},
"id": "CURL-CVE-2026-8458-1b2d656c",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"115376777505587827620471669613014555513",
"257268835978956040638342100145675498591",
"146682638191626827612469621854959300268",
"242837492374400765180157871716340007329",
"194871693785729276599458262302494202594",
"211155382668602562248882592327565576546",
"338976293281519772418995029008049942790",
"175231112645410522988272269943702986681"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/digest_sspi.c",
"function": "Curl_auth_create_digest_md5_message"
},
"id": "CURL-CVE-2026-8458-1c86e13a",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2755.0,
"function_hash": "201632541145019434622046736089826687887"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/openldap.c"
},
"id": "CURL-CVE-2026-8458-21112974",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"61703778026119650899357134709638968674",
"216395037782659793921909638798632749658",
"19798245859305349211669133918930229837",
"106464489432119784204726530810101879243"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/http_ntlm.c",
"function": "Curl_output_ntlm"
},
"id": "CURL-CVE-2026-8458-27714729",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2602.0,
"function_hash": "260045965240571732852971863769004466980"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c",
"function": "url_set_data_creds"
},
"id": "CURL-CVE-2026-8458-3169253b",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1766.0,
"function_hash": "91299840414650153996787999236686689509"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/digest_sspi.c"
},
"id": "CURL-CVE-2026-8458-3ea504e3",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"45632602525096981984729034303752206035",
"299149047008239908290222407514356235779",
"340016407922144152793149776876874245975",
"312620937778394818685580643024176659463",
"63235119232089688767519300617684024494",
"284725202519772165004432515073636269775",
"292677775666577706210569925614305349340",
"229160514750311362968603001161490669762"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/socks_gssapi.c",
"function": "Curl_SOCKS5_gssapi_negotiate"
},
"id": "CURL-CVE-2026-8458-40ce35e8",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 666.0,
"function_hash": "288652029181137140945815677794363167706"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c",
"function": "parse_proxy"
},
"id": "CURL-CVE-2026-8458-59ca1826",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2117.0,
"function_hash": "288674476271057224419205144042299258700"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/socks_gssapi.c"
},
"id": "CURL-CVE-2026-8458-6875ab61",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"22485996410497683027131952627038916280",
"230709435385335507837110808688382515357",
"131019033132838978647237503155578696328",
"225319779446599512713356755644467284691",
"12127228956012810097799665487268500356",
"113523444856577167015824008093099978540",
"328501816214493318824896488303686162872",
"245992900209959630656475018308200947730",
"134143209020880090221058000937168068417",
"230347087111336043407786438204922800444",
"34558769833607308898655000569289715414",
"89939638502864681233182259051275634468",
"66808239332050699815826238665346754754",
"218202333898078856984326107901079983410",
"252649638382735865962080490326933390491"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/socks.c"
},
"id": "CURL-CVE-2026-8458-6eaef693",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"175177802052379156870760759042454504257",
"198845875513348950531345960985310551600",
"70438103738914076389915490568782049774",
"103748601221776386490517817710227551827"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/creds.c"
},
"id": "CURL-CVE-2026-8458-7f5f53e1",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"42111808500321956628227631448498308789",
"104146325563508285465189971390197233850",
"49863501117929899946229377708814991584",
"270378443273333922979364821585678537137",
"16721757978570701791224573861606024766",
"58043549194503679111855035489560830624",
"33904604519574150256311640247809097601",
"107301726887474332911826318745544441657",
"11055074578510050233712013306640346000",
"311811556698560549925651906074766414767",
"52321241973419035424314512044591755928",
"33455036789517966221602507659611589928",
"47595904475985770214128257370842372193",
"11635233778149284565490415535778120663",
"138290536467277029733312439499926515131",
"183306425502290038648097652102260316996",
"338237665271054451985000456866535432659",
"240770964020848801218809570372162093702",
"258746530568898915628826687546744803331",
"315855971697500550484153031053044982658",
"186156997743674293765693182022418980504",
"56491724364248992299318827506314959290",
"215937335004376457908368164768214181956",
"267531160967641960269437065914717564850",
"110805692775768240330546471144135447434",
"276201594788469838078511875335528962133",
"79844649851934290205189985921022027360",
"66566523028376391260649052378632071800",
"1727984952938238186332567690110103018",
"116520439988702761459203606118692343369",
"258095877848887307977916257205769065621",
"35727591428242952674642393727474826995",
"5266756563157798813894806715537931885",
"334026801469649373740486602684649464269",
"138459681247285492240317822811941633985",
"131494259821263617793264713480970209342",
"2956367690892485010795517985879840738",
"52731882480501327158273310262512398501",
"109769107045048381795536290995177222627",
"186050931771462245625523714876264510300",
"165692171206297823499192616574533646793",
"249184715418628274502750451085885216200",
"124256263543578375924605714184306960162",
"81492054133270066501655096531081890098",
"46670366653791743401740656008916595475",
"199893710453168457632687662339201847728",
"330287946202414158555791906432550909400"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/http_negotiate.c"
},
"id": "CURL-CVE-2026-8458-81e88a70",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"206085259962261363014038226134532126186",
"112621985369123868020143663695906751637",
"154275731873751188677121209294641610872",
"43296512606666667286048928569663203402",
"321756469679113168196002201909773375203",
"310227185486929162323736798415132225902",
"24688123237641488151667892465880432579",
"240555389597825435162609155023616919644",
"328408965503758415728469364750132539783",
"35050982579731853488183706425575913360",
"141882039405859215035575921249309924355",
"259412717547259261960778578185459124641",
"204029361426696846209064265195458038601",
"321585702637373785551797735360798584171",
"191525215426195625551777445768078748480",
"144047343648641727374639201033512519156",
"279048916219681932466702078155659576263",
"141707690676109015300160209214296865034",
"64517611707335124931411220280020237374"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/ntlm.c",
"function": "Curl_auth_create_ntlm_type1_message"
},
"id": "CURL-CVE-2026-8458-8757d6f0",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1614.0,
"function_hash": "54516707113723019069995356457345668139"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/creds.c",
"function": "Curl_creds_create"
},
"id": "CURL-CVE-2026-8458-938f9385",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1373.0,
"function_hash": "73860140657984375648121659137289499215"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/socks.h"
},
"id": "CURL-CVE-2026-8458-943803ae",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"109502063055277399261771596252224781757",
"115840534772368650563871374084143564823",
"40162460630184712977569009128999751009",
"308166079021937863090390993376959367920"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/vauth.h"
},
"id": "CURL-CVE-2026-8458-9aeb08c1",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"45632602525096981984729034303752206035",
"233007897012899114499134890756203278189",
"95687799240056149354674767054434196561",
"114440385287005126098511621849569087743",
"219020937470269744552544375880550831285",
"236643273924206828746213736897287979489",
"13992128071164298375871385942225218502",
"113766166600625474376327601079847723900",
"114425007738183449149878634082714778823",
"257268835978956040638342100145675498591",
"146682638191626827612469621854959300268",
"242837492374400765180157871716340007329",
"163855462113734403491258472081036686715",
"337027118988515764330638184673270102903",
"85887358452963428903011354564335339882",
"297238793752154068082505269820970206692"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/creds.h"
},
"id": "CURL-CVE-2026-8458-a942ee65",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"239155807125717559537115518806749925383",
"23671605995551531265997141827694425409",
"327578126918926878626511095634547445085",
"119085505754257205521358052994783812268",
"191013236650511708617899116147992104005",
"333964493961537256052160704854301095400",
"104146325563508285465189971390197233850",
"49863501117929899946229377708814991584",
"327683825059501214095066965477109011442",
"146677306821149164668786724633609294292",
"96441492489638749272550243350275023418",
"283959436588958076733492559339507352187",
"203904458178487689375634194583766599066"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/digest.c"
},
"id": "CURL-CVE-2026-8458-b0a3d3a6",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"45632602525096981984729034303752206035",
"299149047008239908290222407514356235779",
"340016407922144152793149776876874245975",
"193473682146679845847706365829777470465",
"323551088834445865408107177656021140259",
"297093795375716416265986115633477982435"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/creds.c",
"function": "Curl_creds_same"
},
"id": "CURL-CVE-2026-8458-b0c1d2b8",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 330.0,
"function_hash": "100372277611983813751580607506350354991"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/curl_sasl.c",
"function": "sasl_choose_ntlm"
},
"id": "CURL-CVE-2026-8458-b4259a37",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 769.0,
"function_hash": "176355026064202411673187840482908925805"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/creds.c",
"function": "Curl_creds_merge"
},
"id": "CURL-CVE-2026-8458-b51ef2eb",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 421.0,
"function_hash": "53239979655464579543720486887537136371"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/krb5_gssapi.c",
"function": "Curl_auth_create_gssapi_user_message"
},
"id": "CURL-CVE-2026-8458-b6442691",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1518.0,
"function_hash": "172868306802954387332438998215407644625"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/socks_sspi.c",
"function": "socks5_sspi_setup"
},
"id": "CURL-CVE-2026-8458-b713f683",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 798.0,
"function_hash": "26809615103712896894449373739167658218"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/imap.c"
},
"id": "CURL-CVE-2026-8458-b85a66f4",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"192209044385899844183693988015767327393",
"149539691351365310675450276876553057442",
"266833078777338860725877708101019842227",
"48234179652972630197282195413863692909"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c",
"function": "override_login"
},
"id": "CURL-CVE-2026-8458-b9a4a14b",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2800.0,
"function_hash": "211883848174664395509728831488271811006"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/spnego_sspi.c"
},
"id": "CURL-CVE-2026-8458-baeb8eed",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"30605879100500437507856373944605254832",
"337027118988515764330638184673270102903",
"85887358452963428903011354564335339882",
"215337797396709220790280947467406375611",
"210302217785079320972611363767713632054",
"326533131827468475674276902505654461727",
"184216407984109482672351630691437525484"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/pop3.c"
},
"id": "CURL-CVE-2026-8458-be712aeb",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"189805629532768806605605493410995959624",
"125810241216915808454464634632072294682",
"52260443936822369657461160024432008325",
"319184244094858240392511329050456590502"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/krb5_sspi.c"
},
"id": "CURL-CVE-2026-8458-beb31972",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"115376777505587827620471669613014555513",
"257268835978956040638342100145675498591",
"146682638191626827612469621854959300268",
"242837492374400765180157871716340007329",
"63235119232089688767519300617684024494",
"338776260036417418076396347546294144223",
"80398380667354116892639927281141551019",
"215064512947686384998841065225982714796"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/pop3.c",
"function": "pop3_perform_user"
},
"id": "CURL-CVE-2026-8458-c0aff8ee",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 403.0,
"function_hash": "81972827631764743423051002420630942738"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c"
},
"id": "CURL-CVE-2026-8458-c1a344c4",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"204948646437911583000451231954613052759",
"43171189151216146443162651772042634801",
"323108295533411513677390647971032475967",
"202820097847514769072720009112018648987",
"250129161972191357581571743388673667098",
"75197854796838014072050481970545317094",
"64201274780541139630565820506444092430",
"290068352038601298686864054407251717452",
"44009602466531841248142331354329391729",
"271378079365442358889864868476306436038",
"268689102617259311824991617806165302777",
"244308229415381798906281392847708725366",
"149560144109006021728529420958547216151",
"154180039423079669475500698963298631195",
"335939243097788969302670473207543629533",
"218183911202367150585545379123325942825",
"101620917788355195258450986074289897869",
"219432484084302484204187382504549384146",
"96059385989574848170943985461889250408",
"263543846517895687310758691795538188016",
"156819644504175040439321243641859269488",
"54322947945066766729917823266125930362",
"310415774278603841667845040459527645957",
"232375231424210085068419118231295587738",
"263529411355180058234391138124206733879",
"182667147496115462284035957460340565105",
"180827070857863041885997406312062947585"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/spnego_gssapi.c",
"function": "Curl_auth_decode_spnego_message"
},
"id": "CURL-CVE-2026-8458-c4b6c20a",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2180.0,
"function_hash": "101917370021938686314867888743619413606"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/spnego_sspi.c",
"function": "Curl_auth_decode_spnego_message"
},
"id": "CURL-CVE-2026-8458-c87986ec",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 4160.0,
"function_hash": "11778748696068745838182869705274527348"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/http_ntlm.c"
},
"id": "CURL-CVE-2026-8458-c990aa91",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"25947991640903384166934030227343822770",
"214184092662992305444377033299324540376",
"184760400956734988795321710567704625546",
"118508349720772485782036383126063947532",
"148291234461390097071728963409975931917",
"247790282546515250871989945859688813285",
"94783326404154355558429739059661672762",
"262809762930830940974272485484260549574",
"259746583212884874306626506497164162841",
"270546744587123026340614595136034149922",
"22045359633690587295218145906006325727",
"238966305812429568028598023272539358457",
"320031947986299904087034190401087536303",
"156669179242208414330681636439105305973",
"214008744266984397418800587488177810019",
"241341760325921362263519988412024803226",
"289922247225719498890477046446411169976",
"316487034480750197080007518941763205401",
"279309486179908728202284554329027956687",
"239839587932310150544439752936967129600",
"179761887423419717821143260985047094180",
"261846874875494497779666637100247829833",
"5549136075214084120740194861751696462"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/ntlm_sspi.c"
},
"id": "CURL-CVE-2026-8458-cde4337b",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"131133269132561604980160935777623914227",
"236643273924206828746213736897287979489",
"13992128071164298375871385942225218502",
"238854585901285710447431180099839543713",
"98107255346311729849131309663644230494",
"28608618421344094777261367402872538268",
"234467850532933353869606452836954719391",
"72706051931516208994044223461333507889"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/curl_sasl.c",
"function": "sasl_choose_krb5"
},
"id": "CURL-CVE-2026-8458-ceacc59e",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 856.0,
"function_hash": "292014136446134248894240624098740270751"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c",
"function": "url_set_conn_login"
},
"id": "CURL-CVE-2026-8458-db08d0fc",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 488.0,
"function_hash": "102041484563633851174650686870841548528"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/netrc.c",
"function": "netrc_finalize"
},
"id": "CURL-CVE-2026-8458-de8e07ee",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 812.0,
"function_hash": "201385764185832298124218835659603414032"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/netrc.c"
},
"id": "CURL-CVE-2026-8458-dec30f5f",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"118294419820340559685915022133562022191",
"227375538359275878663916601881574310757",
"70402421402622044543297828147024294844",
"240758161275349280446376060242104724400"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/socks.c",
"function": "socks5_connect"
},
"id": "CURL-CVE-2026-8458-e3d26f76",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 4075.0,
"function_hash": "121653307757525424836898635586106215868"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/imap.c",
"function": "imap_perform_login"
},
"id": "CURL-CVE-2026-8458-e6b89257",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 521.0,
"function_hash": "169816356920265988576536134421158009729"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/digest.c",
"function": "Curl_auth_create_digest_md5_message"
},
"id": "CURL-CVE-2026-8458-f588081b",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 4250.0,
"function_hash": "170568490105329642579226280768661728882"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/http_negotiate.c",
"function": "Curl_input_negotiate"
},
"id": "CURL-CVE-2026-8458-f6f517c4",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2066.0,
"function_hash": "161140253318119641798948593070067853950"
},
"signature_version": "v1"
},
{
"target": {
"file": "tests/unit/unit1304.c",
"function": "t1304_set_creds"
},
"id": "CURL-CVE-2026-8458-f8ed9b53",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 224.0,
"function_hash": "242896197719548288530221799129464267680"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/socks_sspi.c"
},
"id": "CURL-CVE-2026-8458-fa8dea80",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"206769408198388035105797554035900268579",
"180767291568760539427339963530308435875",
"111883483407954580134893859589649627338",
"128511627094956920563736673181966493546",
"339155530518974488967280816155419544789",
"315474338656017060954850194368263497885",
"231664257058018842411835629741781577812",
"18513927242192594914949385122644051818",
"85584622225802311782354624304144466386",
"265953906445018271897060941191463026843",
"22485996410497683027131952627038916280",
"230709435385335507837110808688382515357",
"131019033132838978647237503155578696328",
"225319779446599512713356755644467284691",
"198448922597619647416668232414459259754",
"254555840770415729595115916379337563994",
"204889792529614848566939637007270365349",
"116084511672751982969659482821362431549"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/vauth/ntlm_sspi.c",
"function": "Curl_auth_create_ntlm_type1_message"
},
"id": "CURL-CVE-2026-8458-facbf8e0",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2234.0,
"function_hash": "161122196913116638932125263875127728936"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/socks_sspi.c",
"function": "Curl_SOCKS5_gssapi_negotiate"
},
"id": "CURL-CVE-2026-8458-fd95c886",
"source": "https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1569.0,
"function_hash": "72289558331978670027463500603255503506"
},
"signature_version": "v1"
}
]