CVE-2026-8932, a 24-year-old mutual TLS connection reuse flaw in curl/libcurl, was patched in version 8.21.0. Any service using libcurl for mTLS-authenticated service-to-service communication has been operating under a broken mutual authentication assumption. Given curl’s near-universal presence in enterprise software stacks across Linux, Windows, and macOS, the blast radius for unpatched deployments is broad.