AISLE Discovers 6 CVEs in curl, Including Oldest Issue Ever

Curl runs on more than 30 billion devices. As one of the most important pieces of software in the world, it facilitates data transfers to and from operating systems, containers, appliances, CI pipelines, package managers, SDKs, cars, and is even on Mars inside NASA’s Ingenuity Helicopter. Billions of users never run the curl command directly, but still depend on libcurl, the engine behind curl, through another product.

On May 11, 2026, curl founder and lead developer Daniel Stenberg announced that Anthropic’s Mythos model had found a single CVE in curl. His blog post unleashed a wave of research, which led to a flood of security reports to the curl project and, eventually, to the highest number of CVEs ever issued for a release of curl, 18.

AISLE led all security organizations with 6 of those 18 CVEs, plus additional valid findings, across curl and libcurl. The next-closest AI-powered organization received 3 CVEs, while researchers using Anthropic and OpenAI models found 1 each. These discoveries provide further validation that AISLE’s model-agnostic system can outperform frontier models at a fraction of the cost, in any deployment environment.

All AISLE findings were responsibly disclosed to the curl project and were fixed in the June 24, 2026 release of curl 8.21.0. We urge everyone to update to the latest version.

Finding the Oldest curl Security Issue Ever Reported

Curl is of particular interest to security researchers: the easy bugs are long gone, and what remains is difficult to find: old protocol paths, state reuse, callback behavior, credential selection, and code paths that are easily forgotten about. That’s why we used AISLE’s autonomous vulnerability detection capability to find vulnerabilities in fall 2025, discovering 29 valid findings and 5 CVEs.

The 6 CVEs most recently identified by AISLE range from classic memory-lifetime issues to logic bugs in how libcurl decides whether a connection, credential, or host identity is still valid. They include CVE-2026-8932, the oldest curl vulnerability reported so far at over 25 years of age. Shipped in releases since curl version 7.7, it was first shipped on March 22, 2001.

A Summary of AISLE’s Findings

Notably, several issues only affect libcurl applications, not the curl command line tool. This means they affect the code embedded deep inside products where users do not know it is present, and where they become likely targets reachable through application behavior.

AISLE also reported several other curl bugs, including three memory safety issues:

Not every bug becomes a CVE, but these reports fall within the same category. They are all subtle edge cases in mature infrastructure code, especially around memory safety, state transitions, and esoteric API paths.

Bolstering the Case for Model-Agnostic Security Systems

The fact that AISLE claimed 6 of the 18 total findings in this release provides further support of our premise that well-engineered, model-agnostic systems rival high-powered frontier models on cybersecurity tasks.

Moreover, AISLE did more than simply discover vulnerabilities. Three CVEs were also patched using fixes generated by our platform. It goes to show that cybersecurity capability is jagged: for well-defined security tasks, smaller models can outperform much larger and more expensive LLMs. Notably, they can do so locally, completely on-premises, without making API calls.

The challenge is to match model capability and security needs. In other words, AI-native cybersecurity is not primarily a compute problem, but an engineering problem.

Engineering AI for Security with AISLE

AISLE’s end-to-end vulnerability management platform delivers autonomous security within your deployment constraints, from air-gapped networks to the cloud. If you want to see what AI will find in your codebase, talk to us.

Our sincere thanks to the curl project for their professionalism throughout the disclosure process. All our CVEs were reported and disclosed by Joshua Rogers of the AISLE Research Team.