Download
Browse source Changelog Release candidates Release log tiny-curl
Documentation
Project FAQ   Help us   Known bugs   Known risks   TODO Protocols   CA bundle   HTTP Cookies   SSL Certs Releases   Security   Verify   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting trurl wcurl Videos Who and Why
libcurl
API Examples Features Mailing list Symbols Using libcurl Tutorial
Get Help
curl-library curl-users IRC / chat Mailing lists Everything curl [book] Video presentations Report a bug Report security issue Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Specifications Test curl Tests Overview Vulnerability Disclosure Policy
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

[ADVISORY] curl: CVE-2026-5773: wrong reuse of SMB connection

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 29 Apr 2026 08:01:05 +0200 (CEST)

wrong reuse of SMB connection
=============================

Project curl Security Advisory, April 29 2026
[Permalink](https://curl.se/docs/CVE-2026-5773.html)

VULNERABILITY
-------------

libcurl might in some circumstances reuse the wrong connection for SMB(S)
transfers.

libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical
error in the code, a network transfer operation that was requested by an
application could wrongfully reuse an existing SMB connection to the same
server that was using a different "share" than the new subsequent transfer
should.

This could in unlucky situations lead to the download of the wrong file or the
upload of a file to the wrong place. When this happens, the same credentials
are used and the server name is the same.

INFO 
----
curl only supports SMB version 1 and no later version. SMB version 1 is
considered insecure and deprecated and is therefore commonly disabled in
servers. curl is scheduled to drop support for SMB later in 2026. SMB support
is opt-in since 8.20.0.
In this flaw, the code simply erroneously did not consider the share name as a
property to match for connection reuse.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-5773 to this issue.
CWE-488: Exposure of Data Element to Wrong Session
Severity: Low
AFFECTED VERSIONS
-----------------
This flaw has existed since curl started to support SMB.
- Affected versions: from curl 7.40.0 to and including 8.19.0
- Not affected versions: curl < 7.40.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/aec2e865f0
libcurl is used by many applications, but not always advertised as such!
This bug is not considered a *C mistake*. It is not likely to have been
avoided had we not been using C.
This flaw **also** affects the curl command line tool.
SOLUTION
--------
curl 8.20.0 makes sure that connections using SMB never get reused.
- Fixed-in: https://github.com/curl/curl/commit/74a169575d6412d
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade to curl and libcurl 8.20.0
  B - Apply the patch and rebuild libcurl
  C - Avoid using SMB
TIMELINE
---------
It was reported to the curl project on April 5th 2026. We contacted
distros_at_openwall on April 23.
libcurl 8.20.0 was released on April 29th 2026, coordinated with the
publication of this advisory.
CREDITS
-------
- Reported-by: Osama Hamad
- Patched-by: Daniel Stenberg
Thanks a lot!
-- 
  / daniel.haxx.se || https://rock-solid.curl.dev
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2026-04-29