CVE-2026-3805
use after free in SMB connection reuse
Project curl Security Advisory, March 11th 2026 Permalink
VULNERABILITY
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
INFO
When the bad code hits, curl first makes a strlen() on the (freed) memory pointer, then checks that the size is less than or equal than 1024 for it to do something.
Then it copies that string to the the outgoing package which then potentially could leak sensitive data if the application happened to put it there in the mean time since the previous transfer.
This seems extremely hard for an attacker to willingly abuse or to massage the application into leaking specific information. It also seems highly unlikely that any application ever did this sequence without getting a crash or another issue that would indicate there is a problem in curl. The risk here is therefore minimal.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-3805 to this issue.
CWE-416: Use After Free
Severity: Medium
AFFECTED VERSIONS
- Affected versions: curl 8.13.0 to and including 8.18.0
- Not affected versions: curl < 8.13.0 and >= 8.19.0
- Introduced-in: https://github.com/curl/curl/commit/f4831daa9b2a97e8a29
libcurl is used by many applications, but not always advertised as such!
This bug is considered a C mistake. It is likely to have been avoided had we not been using C.
This flaw also affects the curl command line tool.
SOLUTION
curl 8.19.0 fixes this flaw
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade to curl and libcurl 8.19.0
B - Apply the patch and rebuild libcurl
C - Do not use SMB transfers
TIMELINE
It was reported to the curl project on March 8th 2026. We contacted distros@openwall on March 8.
libcurl 8.19.0 was released on March 11th 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Daniel Wade
- Patched-by: Stefan Eissing
Thanks a lot!