{"id":"CURL-CVE-2026-8925","summary":"SASL double-free","details":"The curl logic that works with SASL authentication could end up cleaning up\nthe GSASL context *twice* without clearing the pointer in between, making it\n`free()` the same pointer twice.","aliases":["CVE-2026-8925"],"modified":"2026-06-24T14:05:44.665931Z","published":"2026-06-24T08:00:00Z","database_specific":{"severity":"Medium","last_affected":"8.20.0","affects":"both","package":"curl","www":"https://curl.se/docs/CVE-2026-8925.html","CWE":{"desc":"Double Free","id":"CWE-415"},"URL":"https://curl.se/docs/CVE-2026-8925.json","issue":"https://hackerone.com/reports/3735193"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.15.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ab650379a8c25ca952f651476d25b4cdd77bb3fc"},{"fixed":"3da249e1f0716c06644ed3522a37a8bf81808012"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0"],"database_specific":{"vanir_signatures":[{"target":{"file":"lib/vauth/gsasl.c","function":"Curl_auth_gsasl_is_supported"},"source":"https://github.com/curl/curl.git/commit/3da249e1f0716c06644ed3522a37a8bf81808012","digest":{"function_hash":"302084604714407525692251374694272900329","length":369},"signature_type":"Function","id":"CURL-CVE-2026-8925-2119fa0c","signature_version":"v1","deprecated":false},{"target":{"file":"lib/vauth/gsasl.c"},"source":"https://github.com/curl/curl.git/commit/3da249e1f0716c06644ed3522a37a8bf81808012","digest":{"line_hashes":["317222883309502823860142597895135200148","331108732736569959240708242580802890926","35931978830601830520329644919584359428","316091287703603607087007343834677822635","286034720472754720016913912006726094777","95164131527673258171731104945717953672","10060228462306698533293701394813706719"],"threshold":0.9},"signature_type":"Line","id":"CURL-CVE-2026-8925-3f7f0884","signature_version":"v1","deprecated":false}],"source":"https://curl.se/docs/CURL-CVE-2026-8925.json","vanir_signatures_modified":"2026-06-24T14:05:44Z"}}],"schema_version":"1.7.5","credits":[{"name":"Joshua Rogers (Aisle Research)","type":"FINDER"},{"name":"Viktor Szakats","type":"REMEDIATION_DEVELOPER"}]}