{"id":"CURL-CVE-2026-8458","summary":"wrong reuse for different services","details":"libcurl might in some circumstances reuse the wrong connection when asked to\ndo Negotiate-authenticated ones, even when they are set to use different\n\"services\".\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criteria must be met. Due to a logical\nerror in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different services.","aliases":["CVE-2026-8458"],"modified":"2026-06-24T14:05:45.463439Z","published":"2026-06-24T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/3721183","severity":"Low","URL":"https://curl.se/docs/CVE-2026-8458.json","www":"https://curl.se/docs/CVE-2026-8458.html","last_affected":"8.20.0","package":"curl","CWE":{"desc":"Exposure of Data Element to Wrong Session","id":"CWE-488"},"affects":"lib"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.43.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"97c272e5d173ad5f706443e2477f0a84f0044edd"},{"fixed":"5e99b73cf441d9c369768b9cd48b5389b9a2503d"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0","curl-8_14_1","curl-8_14_0","curl-8_13_0","curl-8_12_1","curl-8_12_0","curl-8_11_1","curl-8_11_0","curl-8_10_1","curl-8_10_0","curl-8_9_1","curl-8_9_0","curl-8_8_0","curl-8_7_1","curl-8_7_0","curl-8_6_0","curl-8_5_0","tiny-curl-8_4_0","curl-8_4_0","curl-8_3_0","curl-8_2_1","curl-8_2_0","curl-8_1_2","curl-8_1_1","curl-8_1_0","curl-8_0_1","curl-8_0_0","curl-7_88_1","curl-7_88_0","curl-7_87_0","curl-7_86_0","curl-7_85_0","curl-7_84_0","curl-7_83_1","curl-7_83_0","curl-7_82_0","curl-7_81_0","curl-7_80_0","curl-7_79_1","curl-7_79_0","curl-7_78_0","curl-7_77_0","curl-7_76_1","curl-7_76_0","curl-7_75_0","curl-7_74_0","curl-7_73_0","tiny-curl-7_72_0","curl-7_72_0","curl-7_71_1","curl-7_71_0","curl-7_70_0","curl-7_69_1","curl-7_69_0","curl-7_68_0","curl-7_67_0","curl-7_66_0","curl-7_65_3","curl-7_65_2","curl-7_65_1","curl-7_65_0","curl-7_64_1","curl-7_64_0","curl-7_63_0","curl-7_62_0","curl-7_61_1","curl-7_61_0","curl-7_60_0","curl-7_59_0","curl-7_58_0","curl-7_57_0","curl-7_56_1","curl-7_56_0","curl-7_55_1","curl-7_55_0","curl-7_54_1","curl-7_54_0","curl-7_53_1","curl-7_53_0","curl-7_52_1","curl-7_52_0","curl-7_51_0","curl-7_50_3","curl-7_50_2","curl-7_50_1","curl-7_50_0","curl-7_49_1","curl-7_49_0","curl-7_48_0","curl-7_47_1","curl-7_47_0","curl-7_46_0","curl-7_45_0","curl-7_44_0","curl-7_43_0"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["131133269132561604980160935777623914227","236643273924206828746213736897287979489","13992128071164298375871385942225218502","238854585901285710447431180099839543713","68957354415944429458175027683812603475","327567988807598174500690090899872797105","46578820557026532549426217570065109776"],"threshold":0.9},"id":"CURL-CVE-2026-8458-05674c9d","deprecated":false,"target":{"file":"lib/vauth/ntlm.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["296070965643488545793586696389321613146","226363162214976162041645392435241839430","133151777568722917704448403638726174988","23840144978261541419604265686509791934","297749191289701577660184769099886424031","338885930668614050968455274869169118907","93807122643920341090003180276561746387","104808351523164052800123753910941378630","317259938674191808806233654509170561136","328355046187445104393222718008922990566","188243137080258304082595182158798760030","198176376429589720981425952787034519771","91087344036793321675363937914998562070","135823895432989842061839298862040398677","234930312166517267681412261277992021861","332454232719863739433294540348859190500","250747626911285282984951431730851199565","183642911914975550270746040748316794206","182617858873447228927906591931287952118","116229107719170247529113448491006433887","278260329771185342187890897848625623258","120488176101434928231608273244039016153","712106685140149537302548640363846201","102910363378525632099868743205849447236","68979858568244644663652464481703603356","257502889359625148799103889252687263202","167286264412726464904471259787801865712","288106997428353368249655655177256542558","179063757513162494933698705836643658877","285191138722892922408194289580789801870","83945959734380226540789905739926703262","134986461706924501481129061926950287112","128582469435340518859335404731315394943"],"threshold":0.9},"id":"CURL-CVE-2026-8458-08a0f976","deprecated":false,"target":{"file":"lib/curl_sasl.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"184381756317090533378747060868130995288","length":4890},"id":"CURL-CVE-2026-8458-0c999af5","deprecated":false,"target":{"function":"Curl_sasl_continue","file":"lib/curl_sasl.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["30605879100500437507856373944605254832","337027118988515764330638184673270102903","85887358452963428903011354564335339882","215337797396709220790280947467406375611","337815262753453648733916956437942101822","115256794223216950070804860010701882609","45426469797407475448254842047543600506"],"threshold":0.9},"id":"CURL-CVE-2026-8458-0cd614b1","deprecated":false,"target":{"file":"lib/vauth/spnego_gssapi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["109532323053949467231115586568332907621","222002067558750143249081776298141482609","311521466985697410646809202280248446895","38973899648068879797454711447029941266"],"threshold":0.9},"id":"CURL-CVE-2026-8458-0d85be17","deprecated":false,"target":{"file":"tests/unit/unit1304.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"82327947277019586702754338708573347183","length":2972},"id":"CURL-CVE-2026-8458-133b3e59","deprecated":false,"target":{"function":"Curl_auth_create_gssapi_user_message","file":"lib/vauth/krb5_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"334394234275027321592874715888930185260","length":712},"id":"CURL-CVE-2026-8458-196dda7a","deprecated":false,"target":{"function":"oldap_perform_bind","file":"lib/openldap.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["115376777505587827620471669613014555513","257268835978956040638342100145675498591","146682638191626827612469621854959300268","242837492374400765180157871716340007329","194871693785729276599458262302494202594","211155382668602562248882592327565576546","338976293281519772418995029008049942790","175231112645410522988272269943702986681"],"threshold":0.9},"id":"CURL-CVE-2026-8458-1b2d656c","deprecated":false,"target":{"file":"lib/vauth/krb5_gssapi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"201632541145019434622046736089826687887","length":2755},"id":"CURL-CVE-2026-8458-1c86e13a","deprecated":false,"target":{"function":"Curl_auth_create_digest_md5_message","file":"lib/vauth/digest_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["61703778026119650899357134709638968674","216395037782659793921909638798632749658","19798245859305349211669133918930229837","106464489432119784204726530810101879243"],"threshold":0.9},"id":"CURL-CVE-2026-8458-21112974","deprecated":false,"target":{"file":"lib/openldap.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"260045965240571732852971863769004466980","length":2602},"id":"CURL-CVE-2026-8458-27714729","deprecated":false,"target":{"function":"Curl_output_ntlm","file":"lib/http_ntlm.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"91299840414650153996787999236686689509","length":1766},"id":"CURL-CVE-2026-8458-3169253b","deprecated":false,"target":{"function":"url_set_data_creds","file":"lib/url.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["45632602525096981984729034303752206035","299149047008239908290222407514356235779","340016407922144152793149776876874245975","312620937778394818685580643024176659463","63235119232089688767519300617684024494","284725202519772165004432515073636269775","292677775666577706210569925614305349340","229160514750311362968603001161490669762"],"threshold":0.9},"id":"CURL-CVE-2026-8458-3ea504e3","deprecated":false,"target":{"file":"lib/vauth/digest_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"288652029181137140945815677794363167706","length":666},"id":"CURL-CVE-2026-8458-40ce35e8","deprecated":false,"target":{"function":"Curl_SOCKS5_gssapi_negotiate","file":"lib/socks_gssapi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"288674476271057224419205144042299258700","length":2117},"id":"CURL-CVE-2026-8458-59ca1826","deprecated":false,"target":{"function":"parse_proxy","file":"lib/url.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["22485996410497683027131952627038916280","230709435385335507837110808688382515357","131019033132838978647237503155578696328","225319779446599512713356755644467284691","12127228956012810097799665487268500356","113523444856577167015824008093099978540","328501816214493318824896488303686162872","245992900209959630656475018308200947730","134143209020880090221058000937168068417","230347087111336043407786438204922800444","34558769833607308898655000569289715414","89939638502864681233182259051275634468","66808239332050699815826238665346754754","218202333898078856984326107901079983410","252649638382735865962080490326933390491"],"threshold":0.9},"id":"CURL-CVE-2026-8458-6875ab61","deprecated":false,"target":{"file":"lib/socks_gssapi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["175177802052379156870760759042454504257","198845875513348950531345960985310551600","70438103738914076389915490568782049774","103748601221776386490517817710227551827"],"threshold":0.9},"id":"CURL-CVE-2026-8458-6eaef693","deprecated":false,"target":{"file":"lib/socks.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["42111808500321956628227631448498308789","104146325563508285465189971390197233850","49863501117929899946229377708814991584","270378443273333922979364821585678537137","16721757978570701791224573861606024766","58043549194503679111855035489560830624","33904604519574150256311640247809097601","107301726887474332911826318745544441657","11055074578510050233712013306640346000","311811556698560549925651906074766414767","52321241973419035424314512044591755928","33455036789517966221602507659611589928","47595904475985770214128257370842372193","11635233778149284565490415535778120663","138290536467277029733312439499926515131","183306425502290038648097652102260316996","338237665271054451985000456866535432659","240770964020848801218809570372162093702","258746530568898915628826687546744803331","315855971697500550484153031053044982658","186156997743674293765693182022418980504","56491724364248992299318827506314959290","215937335004376457908368164768214181956","267531160967641960269437065914717564850","110805692775768240330546471144135447434","276201594788469838078511875335528962133","79844649851934290205189985921022027360","66566523028376391260649052378632071800","1727984952938238186332567690110103018","116520439988702761459203606118692343369","258095877848887307977916257205769065621","35727591428242952674642393727474826995","5266756563157798813894806715537931885","334026801469649373740486602684649464269","138459681247285492240317822811941633985","131494259821263617793264713480970209342","2956367690892485010795517985879840738","52731882480501327158273310262512398501","109769107045048381795536290995177222627","186050931771462245625523714876264510300","165692171206297823499192616574533646793","249184715418628274502750451085885216200","124256263543578375924605714184306960162","81492054133270066501655096531081890098","46670366653791743401740656008916595475","199893710453168457632687662339201847728","330287946202414158555791906432550909400"],"threshold":0.9},"id":"CURL-CVE-2026-8458-7f5f53e1","deprecated":false,"target":{"file":"lib/creds.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["206085259962261363014038226134532126186","112621985369123868020143663695906751637","154275731873751188677121209294641610872","43296512606666667286048928569663203402","321756469679113168196002201909773375203","310227185486929162323736798415132225902","24688123237641488151667892465880432579","240555389597825435162609155023616919644","328408965503758415728469364750132539783","35050982579731853488183706425575913360","141882039405859215035575921249309924355","259412717547259261960778578185459124641","204029361426696846209064265195458038601","321585702637373785551797735360798584171","191525215426195625551777445768078748480","144047343648641727374639201033512519156","279048916219681932466702078155659576263","141707690676109015300160209214296865034","64517611707335124931411220280020237374"],"threshold":0.9},"id":"CURL-CVE-2026-8458-81e88a70","deprecated":false,"target":{"file":"lib/http_negotiate.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"54516707113723019069995356457345668139","length":1614},"id":"CURL-CVE-2026-8458-8757d6f0","deprecated":false,"target":{"function":"Curl_auth_create_ntlm_type1_message","file":"lib/vauth/ntlm.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"73860140657984375648121659137289499215","length":1373},"id":"CURL-CVE-2026-8458-938f9385","deprecated":false,"target":{"function":"Curl_creds_create","file":"lib/creds.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["109502063055277399261771596252224781757","115840534772368650563871374084143564823","40162460630184712977569009128999751009","308166079021937863090390993376959367920"],"threshold":0.9},"id":"CURL-CVE-2026-8458-943803ae","deprecated":false,"target":{"file":"lib/socks.h"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["45632602525096981984729034303752206035","233007897012899114499134890756203278189","95687799240056149354674767054434196561","114440385287005126098511621849569087743","219020937470269744552544375880550831285","236643273924206828746213736897287979489","13992128071164298375871385942225218502","113766166600625474376327601079847723900","114425007738183449149878634082714778823","257268835978956040638342100145675498591","146682638191626827612469621854959300268","242837492374400765180157871716340007329","163855462113734403491258472081036686715","337027118988515764330638184673270102903","85887358452963428903011354564335339882","297238793752154068082505269820970206692"],"threshold":0.9},"id":"CURL-CVE-2026-8458-9aeb08c1","deprecated":false,"target":{"file":"lib/vauth/vauth.h"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["239155807125717559537115518806749925383","23671605995551531265997141827694425409","327578126918926878626511095634547445085","119085505754257205521358052994783812268","191013236650511708617899116147992104005","333964493961537256052160704854301095400","104146325563508285465189971390197233850","49863501117929899946229377708814991584","327683825059501214095066965477109011442","146677306821149164668786724633609294292","96441492489638749272550243350275023418","283959436588958076733492559339507352187","203904458178487689375634194583766599066"],"threshold":0.9},"id":"CURL-CVE-2026-8458-a942ee65","deprecated":false,"target":{"file":"lib/creds.h"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["45632602525096981984729034303752206035","299149047008239908290222407514356235779","340016407922144152793149776876874245975","193473682146679845847706365829777470465","323551088834445865408107177656021140259","297093795375716416265986115633477982435"],"threshold":0.9},"id":"CURL-CVE-2026-8458-b0a3d3a6","deprecated":false,"target":{"file":"lib/vauth/digest.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"100372277611983813751580607506350354991","length":330},"id":"CURL-CVE-2026-8458-b0c1d2b8","deprecated":false,"target":{"function":"Curl_creds_same","file":"lib/creds.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"176355026064202411673187840482908925805","length":769},"id":"CURL-CVE-2026-8458-b4259a37","deprecated":false,"target":{"function":"sasl_choose_ntlm","file":"lib/curl_sasl.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"53239979655464579543720486887537136371","length":421},"id":"CURL-CVE-2026-8458-b51ef2eb","deprecated":false,"target":{"function":"Curl_creds_merge","file":"lib/creds.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"172868306802954387332438998215407644625","length":1518},"id":"CURL-CVE-2026-8458-b6442691","deprecated":false,"target":{"function":"Curl_auth_create_gssapi_user_message","file":"lib/vauth/krb5_gssapi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"26809615103712896894449373739167658218","length":798},"id":"CURL-CVE-2026-8458-b713f683","deprecated":false,"target":{"function":"socks5_sspi_setup","file":"lib/socks_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["192209044385899844183693988015767327393","149539691351365310675450276876553057442","266833078777338860725877708101019842227","48234179652972630197282195413863692909"],"threshold":0.9},"id":"CURL-CVE-2026-8458-b85a66f4","deprecated":false,"target":{"file":"lib/imap.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"211883848174664395509728831488271811006","length":2800},"id":"CURL-CVE-2026-8458-b9a4a14b","deprecated":false,"target":{"function":"override_login","file":"lib/url.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["30605879100500437507856373944605254832","337027118988515764330638184673270102903","85887358452963428903011354564335339882","215337797396709220790280947467406375611","210302217785079320972611363767713632054","326533131827468475674276902505654461727","184216407984109482672351630691437525484"],"threshold":0.9},"id":"CURL-CVE-2026-8458-baeb8eed","deprecated":false,"target":{"file":"lib/vauth/spnego_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["189805629532768806605605493410995959624","125810241216915808454464634632072294682","52260443936822369657461160024432008325","319184244094858240392511329050456590502"],"threshold":0.9},"id":"CURL-CVE-2026-8458-be712aeb","deprecated":false,"target":{"file":"lib/pop3.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["115376777505587827620471669613014555513","257268835978956040638342100145675498591","146682638191626827612469621854959300268","242837492374400765180157871716340007329","63235119232089688767519300617684024494","338776260036417418076396347546294144223","80398380667354116892639927281141551019","215064512947686384998841065225982714796"],"threshold":0.9},"id":"CURL-CVE-2026-8458-beb31972","deprecated":false,"target":{"file":"lib/vauth/krb5_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"81972827631764743423051002420630942738","length":403},"id":"CURL-CVE-2026-8458-c0aff8ee","deprecated":false,"target":{"function":"pop3_perform_user","file":"lib/pop3.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["204948646437911583000451231954613052759","43171189151216146443162651772042634801","323108295533411513677390647971032475967","202820097847514769072720009112018648987","250129161972191357581571743388673667098","75197854796838014072050481970545317094","64201274780541139630565820506444092430","290068352038601298686864054407251717452","44009602466531841248142331354329391729","271378079365442358889864868476306436038","268689102617259311824991617806165302777","244308229415381798906281392847708725366","149560144109006021728529420958547216151","154180039423079669475500698963298631195","335939243097788969302670473207543629533","218183911202367150585545379123325942825","101620917788355195258450986074289897869","219432484084302484204187382504549384146","96059385989574848170943985461889250408","263543846517895687310758691795538188016","156819644504175040439321243641859269488","54322947945066766729917823266125930362","310415774278603841667845040459527645957","232375231424210085068419118231295587738","263529411355180058234391138124206733879","182667147496115462284035957460340565105","180827070857863041885997406312062947585"],"threshold":0.9},"id":"CURL-CVE-2026-8458-c1a344c4","deprecated":false,"target":{"file":"lib/url.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"101917370021938686314867888743619413606","length":2180},"id":"CURL-CVE-2026-8458-c4b6c20a","deprecated":false,"target":{"function":"Curl_auth_decode_spnego_message","file":"lib/vauth/spnego_gssapi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"11778748696068745838182869705274527348","length":4160},"id":"CURL-CVE-2026-8458-c87986ec","deprecated":false,"target":{"function":"Curl_auth_decode_spnego_message","file":"lib/vauth/spnego_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["25947991640903384166934030227343822770","214184092662992305444377033299324540376","184760400956734988795321710567704625546","118508349720772485782036383126063947532","148291234461390097071728963409975931917","247790282546515250871989945859688813285","94783326404154355558429739059661672762","262809762930830940974272485484260549574","259746583212884874306626506497164162841","270546744587123026340614595136034149922","22045359633690587295218145906006325727","238966305812429568028598023272539358457","320031947986299904087034190401087536303","156669179242208414330681636439105305973","214008744266984397418800587488177810019","241341760325921362263519988412024803226","289922247225719498890477046446411169976","316487034480750197080007518941763205401","279309486179908728202284554329027956687","239839587932310150544439752936967129600","179761887423419717821143260985047094180","261846874875494497779666637100247829833","5549136075214084120740194861751696462"],"threshold":0.9},"id":"CURL-CVE-2026-8458-c990aa91","deprecated":false,"target":{"file":"lib/http_ntlm.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["131133269132561604980160935777623914227","236643273924206828746213736897287979489","13992128071164298375871385942225218502","238854585901285710447431180099839543713","98107255346311729849131309663644230494","28608618421344094777261367402872538268","234467850532933353869606452836954719391","72706051931516208994044223461333507889"],"threshold":0.9},"id":"CURL-CVE-2026-8458-cde4337b","deprecated":false,"target":{"file":"lib/vauth/ntlm_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"292014136446134248894240624098740270751","length":856},"id":"CURL-CVE-2026-8458-ceacc59e","deprecated":false,"target":{"function":"sasl_choose_krb5","file":"lib/curl_sasl.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"102041484563633851174650686870841548528","length":488},"id":"CURL-CVE-2026-8458-db08d0fc","deprecated":false,"target":{"function":"url_set_conn_login","file":"lib/url.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"201385764185832298124218835659603414032","length":812},"id":"CURL-CVE-2026-8458-de8e07ee","deprecated":false,"target":{"function":"netrc_finalize","file":"lib/netrc.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["118294419820340559685915022133562022191","227375538359275878663916601881574310757","70402421402622044543297828147024294844","240758161275349280446376060242104724400"],"threshold":0.9},"id":"CURL-CVE-2026-8458-dec30f5f","deprecated":false,"target":{"file":"lib/netrc.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"121653307757525424836898635586106215868","length":4075},"id":"CURL-CVE-2026-8458-e3d26f76","deprecated":false,"target":{"function":"socks5_connect","file":"lib/socks.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"169816356920265988576536134421158009729","length":521},"id":"CURL-CVE-2026-8458-e6b89257","deprecated":false,"target":{"function":"imap_perform_login","file":"lib/imap.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"170568490105329642579226280768661728882","length":4250},"id":"CURL-CVE-2026-8458-f588081b","deprecated":false,"target":{"function":"Curl_auth_create_digest_md5_message","file":"lib/vauth/digest.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"161140253318119641798948593070067853950","length":2066},"id":"CURL-CVE-2026-8458-f6f517c4","deprecated":false,"target":{"function":"Curl_input_negotiate","file":"lib/http_negotiate.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"242896197719548288530221799129464267680","length":224},"id":"CURL-CVE-2026-8458-f8ed9b53","deprecated":false,"target":{"function":"t1304_set_creds","file":"tests/unit/unit1304.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["206769408198388035105797554035900268579","180767291568760539427339963530308435875","111883483407954580134893859589649627338","128511627094956920563736673181966493546","339155530518974488967280816155419544789","315474338656017060954850194368263497885","231664257058018842411835629741781577812","18513927242192594914949385122644051818","85584622225802311782354624304144466386","265953906445018271897060941191463026843","22485996410497683027131952627038916280","230709435385335507837110808688382515357","131019033132838978647237503155578696328","225319779446599512713356755644467284691","198448922597619647416668232414459259754","254555840770415729595115916379337563994","204889792529614848566939637007270365349","116084511672751982969659482821362431549"],"threshold":0.9},"id":"CURL-CVE-2026-8458-fa8dea80","deprecated":false,"target":{"file":"lib/socks_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"161122196913116638932125263875127728936","length":2234},"id":"CURL-CVE-2026-8458-facbf8e0","deprecated":false,"target":{"function":"Curl_auth_create_ntlm_type1_message","file":"lib/vauth/ntlm_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"},{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"72289558331978670027463500603255503506","length":1569},"id":"CURL-CVE-2026-8458-fd95c886","deprecated":false,"target":{"function":"Curl_SOCKS5_gssapi_negotiate","file":"lib/socks_sspi.c"},"source":"https://github.com/curl/curl.git/commit/5e99b73cf441d9c369768b9cd48b5389b9a2503d"}],"vanir_signatures_modified":"2026-06-24T14:05:45Z","source":"https://curl.se/docs/CURL-CVE-2026-8458.json"}}],"schema_version":"1.7.5","credits":[{"name":"Muhamad Arga Reksapati","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}