A vulnerability labeled as critical has been found in cURL up to 8.20.0. Affected is the function free. Executing a manipulation can lead to double free.

This vulnerability appears as CVE-2026-8925. The attack may be performed from remote. There is no available exploit.