An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then CREATE(Triage):(User=admin) [CVE-2020-8231|https://nvd.nist.gov/vuln/detail/CVE-2020-8231]
