I suppose it's theoretically possible someone was hoarding this as a zero-day and may decide to more actively exploit it before it gets patched. Except of course that they don't know which precise vulnerability it is.
Also what I consider is that who has insider access and how does that information leak... This fix must be known at least some members of curl developers. Will they leak it or not? Or anyone who receive it early...