Tamas K LengyelMar 12
daniel:// stenberg://

CVE-2026-3784 beat a new #curl record. This flaw existed in curl source code for 24.97 years before it was discovered.

Illustrated in the slightly hard-to-read graph below. The average age of a curl vulnerability when reported is eight years.

https://curl.se/docs/CVE-2026-3784.html

Mar 12 at 8:08amWeb
Show threadbusterMar 12
@bagder it's just crazy that curl is that old.. I am that old?
Show threaddaniel:// stenberg://Mar 12
@buster before curl there was nothing 😎
Show threadLeafy, Kylie, Skye 🏳️‍🌈🏳️‍⚧️Mar 12
@bagder this vulnerability is almost as old as me lol
Show threadshiniruzyMar 12
@bagder a vulnerability older than me and my usage of curl is wild😂😂😂
Show threadPoul-Henning KampMar 12

@bagder

Daniel,

I cannot thank you enough for doing this kind of data-mining, it is very strong and compelling evidence that the way we do software is simply not good enough.

Show threaddaniel:// stenberg://Mar 12
@bsdphk a reasonable conclusion!
Show threadltningMar 12
@bagder What happened around 2017-19? Sharp drop in age (and number?) of "high" vulnerabilities? Have they all been found? Has code quality increased? Bug bounties?

I second @bsdphk - this is remarkable and very useful data. Thank you!
Show threaddaniel:// stenberg://Mar 12
@ltning @bsdphk better tooling, fuzzing and CI taking off maybe?
Show threadPoul-Henning KampMar 13

@bagder @ltning

I will argue that we have done all of that in Vinyl Cache (The FOSS project formerly known as Varnish Cache), and we still end up with CVEs.

But obviously, those tools are a major reason we have so few CVEs.

Show threaddaniel:// stenberg://Mar 13
@bsdphk @ltning well sure, we run all those tools and many more in curl as well, and we still get CVEs. Traditional tools have had the limitation that they have required the code to compile or run to be able to find problems and sometimes build targets and build options combined have made it hard.
Show threadMitex LeoMar 12
@bagder Curl is older than me 🤔