Connection Reuse Vulnerability in libcurl for SMB Transfers
CVE-2026-5773

7.5HIGH

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-5773?

libcurl may incorrectly reuse an established connection during SMB file transfers due to a logical error in its code. This flaw allows for the potential mixing of file uploads and downloads between different shares on the same server. As a result, an application might inadvertently download the wrong file or upload a file to an unintended location, while using the same set of credentials and the same server context. This presents significant risks for data integrity and confidentiality in networked environments.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-5773.json

https://curl.se/docs/CVE-2026-5773.html

https://hackerone.com/reports/3650689

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Osama Hamad

Daniel Stenberg

CVE-2026-5773 Data

JSON

Curl

What is CVE-2026-5773?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit