Pending RELEASE-NOTES for the upcoming release

This is work in progress and seeing changes before the release goes public on 2026-04-29.

Changes:

• async-thrdd: use thread queue for resolving
• build: make NTLM disabled by default
• cmake: drop support for CMake 3.17 and older
• lib: add thread pool and queue
• lib: drop support for < c-ares 1.16.0
• lib: make SMB support opt-in
• multi.h: add CURLMNWC_CLEAR_ALL
• rtmp: drop support

Bugfixes:

• asyn-ares: drop orphaned variable references
• asyn-ares: fix HTTPS-lookup when not on port 443
• asyn-thrdd: fix clang-tidy unused value warning
• autotools: limit checksrc target to ignore non-repo test sources
• badwords-all: exit with correct code on errors
• badwords: combine the whitelisting into a single regex
• badwords: detect the the and with with
• badwords: only check comments and strings in source code
• badwords: rework exceptions, fix many of them
• boringssl: fix more coexist cases with Schannel/WinCrypt
• build: assume `snprintf()` in `mprintf`, drop feature check
• build: compiler warning silencing tidy-ups
• build: drop `openssl` module dependency for BoringSSL from `libcurl.pc`
• build: drop duplicate `pthread.h` includes
• build: drop redundant `USE_QUICHE` guards
• build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues
• cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR
• cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR
• cf-socket: avoid low risk integer overflow on ancient Solaris
• cmake: add CMake Config-based dependency detection
• cmake: add CMake Config-based dependency detection for c-ares, wolfSSL
• cmake: document functions used from Windows system DLLs
• cmake: resolve targets recursively when generating `libcurl.pc`
• cmake: rework binutils ld hack to not read `LOCATION` property
• cmake: silence bad library `Threads::Threads` warning
• cmake: use `AIX` built-in variable (with CMake 4.0+)
• config2setopts: make --capath work in proxy disabled builds
• configure: fix `--with-ngtcp2=<path>` option for crypto libs
• configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic
• configure: prefer dependency-specific variables over `$withval`
• configure: remove superfluous experimental warning for HTTP/3
• curl-wolfssl.m4: fix to use the correct value for pkg-config directory
• curl.h: replace macros with C++-friendly method to enforce 3 args
• curl_ctype.h: fix spelling in a couple of locally used macros
• curl_get_line: error out on read errors
• curl_get_line: fix potential infinite loop when filename is a directory
• curl_ngtcp2: extend and update callbacks for 1.22.0+
• curl_ntlm_core: drop redundant PP condition
• curl_sha512_256: support delegating to wolfSSL API
• curl_version_info.md: clarify age details
• CURLOPT_HAPROXY_CLIENT_IP.md: mention assuption on data format
• CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse
• curlx_now(), prevent zero timestamp
• DEPRECATE: fix minor release number typo
• digest: pass in the user name quoted (as well)
• dnscache: own source file, improvements
• docs/lib: fix typos
• docs: enable more compiler warnings for C snippets, fix 3 finds
• docs: list more dependencies for running Python HTTP tests
• docs: mention more zip bomb precautions
• docs: minor wording tweaks
• doh: fix memory-leak when doing a second DoH resolve
• examples/websocket: fix to sleep more on Windows
• examples: drop warning silencers no longer hit
• examples: fix typo in comment
• file: init fd to -1 to prevent close fd 0 on early failure
• fopen: for temp files, inherit permissions only for owner
• ftp: do not strdup DATA hostname
• ftp: make the MDTM date parser stricter (again)
• ftp: reject PWD responses containing control characters
• gcc: guard `#pragma diagnostic` in core code for <4.6
• generate.bat: remove extra % from VC11 and VC12 runs
• genserv.pl: make external calls safe
• getinfo: initialize `PureInfo` field `used_proxy`
• gnutls: fix clang-tidy warning with !verbose
• hostip: clear the sockaddr_in6 structure before use
• hsts: when a dupe host adds subdomains, use that
• http2: clear the h2 session at delete
• http2: prevent secure schemes pushed over insecure connections
• http2: return error on OOM in push headers
• HTTP3.md: drop outdated mentions of OpenSSL-QUIC
• http: fix Curl_compareheader for multi value headers
• http: make Curl_compareheader handle multiple commas in header
• imap: reset the UIDVALIDITY state between transfers
• include: drop 'will' from public headers
• keylog.h: replace literal number with macro in declaration
• keylog: drop unused/redundant includes and guards
• ldap: drop duplicate `ldap_set_option()` on Windows
• ldap: fix to initialize cleartext connection on Windows
• lib: always use Curl_1st_fatal instead of Curl_1st_err
• libssh2: fix error handling on quote errors
• libssh: propagate error back in SFTP function
• libtest: drop duplicate include
• location/follow: mention netrc
• md4, md5: switch to wolfCrypt API in wolfSSL builds
• mk-ca-bundle.pl: make generated timestamps deterministic
• multi: fix connection retry for non-http
• multi: improve wakeup and wait code
• netrc: find login-less password when user is given in URL
• netrc: remove unused parsenetrc() macro for netrc-disabled
• netrc: skip malformed macdef lines
• openssl channel_binding: lookup digest algorithm without NID
• openssl: drop obsolete SSLv2 logic
• openssl: fix build with 4.0.0-beta1 no-deprecated
• openssl: fix memory leaks in ECH code (OpenSSL 3)
• openssl: trace count of found / imported Windows native CA roots
• OS400: add new definitions to the ILE/RPG binding.
• os400sys: fix typo in comment (symetry -> symmetry)
• perl: harden external command invocations
• progress: count amount of data "delivered" to application
• protocol.h: fix the CURLPROTO_MASK
• protocol: use scheme names lowercase
• proxy: chunked response, error code
• pytest: add additional quiche check for flaky test_05_01
• rand: use `BCryptGenRandom()` in UWP builds
• ratelimit: reset on start
• request: reset resp_trailer in new requests
• scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl)
• scripts: harden / tidy up more Perl `system()` calls
• sha256, sha512_256: switch to wolfCrypt API
• sha256: support delegating to wolfSSL API
• share: concurrency handling, easy updates
• socks: reject zero-length GSSAPI/SSPI tokens from proxy
• src: use ftruncate() unconditionally
• sshserver.pl: harden more `system()` calls
• sshserver.pl: pass command-line to `system()` safely
• strerr: correct the strerror_s() return code condition
• sws: fix potential OOB write
• synctime: fix off-by-one read and write to a read-only buffer (Windows)
• test459: switch to mode="warn" for stderr check
• testcurl.pl: replace shell commands with Perl `rmtree()`
• tests/unit/README: describe how to unit test static functions
• tool: check for curlinfo->age when determining if ssh backend
• tool: fix memory mixups
• tool: fix two more allocator mismatches
• tool_cb_hdr: only truncate etags output when regular file
• tool_cb_rea: make waitfd() return void
• tool_cb_wrt: fix no-clobber error handling
• tool_cfgable: free the SSL signature algorithms
• tool_formparse: propagate my_get_line errors when reading headers
• tool_getparam: use correct free function for libcurl memory
• tool_ipfs: accept IPFS gateway URL without set port number
• tool_msgs: avoid null pointer deref for early errors
• tool_operate: actually apply the --parallel-max-host limit
• tool_operate: drop the scheme-guessing in the -G handling
• tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows)
• tool_operate: fix memory-leak on failed uploads
• tool_operate: fix minor memory-leak on early error
• tool_operhlp: fix `add_file_name_to_url()` result on OOM
• tool_operhlp: iterate through all slashes to find name
• tool_operhlp: propagate low-level OOM in `add_file_name_to_url()`
• tool_setopt: return error on OOM correctly
• tool_urlglob: fix memory-leak on glob range overflow
• top-complexity: prevent filename-based shell injection risk
• transfer: clear the URL pointer in OOM to avoid UAF
• transfer: enable custom methods again on next transfer
• transfer: enhance secure check
• url: do not reuse a non-tls starttls connection if new requires TLS
• url: use the socks type for socks proxy
• url: use URL for url even in comments
• urlapi: fix handling of "file:///"
• urlapi: make dedotdotify handle leading dots correctly
• urlapi: verify the last letter of a scheme when set explicitly
• urldata: connection bit ipv6_ip is wrong
• urldata: import port types and conn destination format
• urldata: make hstslist only present in HSTS builds
• urldata: make speeder_c uint32
• urldata: remove trailers_state
• wolfssl: document v5.0.0 (2021-11-01) as minimum required
• wolfssl: fix handling of abrupt connection close
• x509asn1: fix to return error in an error case from `encodeOID()`
• x509asn1: fixed and adapted for ASN1tostr unit testing
• x509asn1: improve encodeOID

Contributors:

am-perip on hackerone, Arkadi Vainbrand, Carlos Henrique Lima Melara, crawfordxx, Dan Fandrich, Daniel Stenberg, dependabot[bot], Dexter Gerig, Ercan Ermis, fds242 on github, Flavio Amieiro, Greg Kroah-Hartman, Harry Sintonen, Henrique Pereira, James Fuller, Jason Stangroome, Kai Pastor, Kaixuan Li, lg_oled77c5pua on hackerone, M42kL33 on hackerone, m777m0 on hackerone, Marcel Raad, Martin Dürrmeier, Michael Hendricks, Michael Kaufmann, Orgad Shaneh, Otis Cui Lei, Patrick Monnerat, Ray Satiro, renovate[bot], Richard Tollerton, Rob Crittenden, Scott Boudreaux, Sergey Fedorov, Stefan Eissing, Viktor Szakats, Vladimír Marek, xkilua on hackerone, Yoshiro Yoneya