Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Unrated

curl trailing dot domain super cookie

IdentifiersCVE-2026-8924CWE-201

CVE-2026-8924 is a low-severity vulnerability in curl/libcurl cookie domain validation that allows a malicious HTTP server to set a "super cookie" by abusing trailing-dot hostnames and cookie domains. When curl accesses a URL whose hostname includes a trailing dot, such as example.co.uk., and the server responds with a cookie scoped to a public suffix domain with a trailing dot, such as Domain=co.uk., curl's Public Suffix List validation via libpsl can be bypassed. Without trailing dots, the same PSL check correctly identifies the domain as a public suffix and rejects the cookie. Due to this parsing/validation flaw, curl may store the cookie and later send it to unrelated domains under that suffix. The issue affects curl versions 7.46.0 through 8.20.0 and was fixed in 8.21.0.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker-controlled origin to inject overly broad cookies into curl's cookie jar and have those cookies later transmitted to unrelated third-party domains within the affected suffix scope. This can expose attacker-set cookie data through subsequent requests and can interfere with application logic that relies on cookie isolation between domains. The advisory classifies the issue as information exposure through sent data and rates it Low severity.

Mitigation

If you can’t patch tonight, do this now.

Avoid using trailing dots in hostnames in URLs until patched. Reduce or disable reliance on shared cookie jars when communicating with untrusted HTTP servers, and avoid accepting/storing cookies from untrusted origins where operationally feasible. Note that builds without PSL support cannot protect against this class of overly broad cookie issue.

Remediation

Patch, then assume compromise.

Upgrade curl/libcurl to version 8.21.0 or later. If upgrading is not immediately possible, apply the upstream fix/patch referenced by curl for CVE-2026-8924. Ensure builds include PSL support where possible, although the advisory notes that this specific flaw bypassed PSL enforcement in affected versions.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cyber security newsNews
Jun 25, 2026
25-Year-Old Vulnerability in curl Used by 30 Billion Devices Finally Patched

A curl/libcurl cookie handling vulnerability related to trailing-dot domains that can result in a super-cookie condition.

Read more
daniel haxx seNews
Jun 25, 2026
Trailing dots are the worst | daniel.haxx.se

A curl cookie domain validation vulnerability where trailing dots could bypass Public Suffix List checks, allowing improper acceptance of cookies for public suffix domains.

Read more
daniel haxx seNews
Jun 24, 2026
curl 8.21.0 | daniel.haxx.se

A low-severity curl/libcurl vulnerability related to cookie handling for trailing-dot domains, enabling an overly broad 'super cookie' condition.

Read more
curlNews
Jun 24, 2026
curl - trailing dot domain super cookie - CVE-2026-8924

A low-severity curl cookie parsing vulnerability that allows malicious servers to set super cookies by abusing trailing-dot domains, bypassing Public Suffix List protections and causing cookies to be sent to unrelated third-party domains.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-8924
NVD
nvd.nist.gov/vuln/detail/CVE-2026-8924
MITRE CWE · CWE-201
cwe.mitre.org