Connection Reuse Vulnerability in libcurl for SMB Transfers
CVE-2026-5773

Currently unrated

Key Information:

Vendor

Curl

Status
Curl
Vendor
CVE Published:
13 May 2026

What is CVE-2026-5773?

libcurl may incorrectly reuse an established connection during SMB file transfers due to a logical error in its code. This flaw allows for the potential mixing of file uploads and downloads between different shares on the same server. As a result, an application might inadvertently download the wrong file or upload a file to an unintended location, while using the same set of credentials and the same server context. This presents significant risks for data integrity and confidentiality in networked environments.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-5773.json
https://curl.se/docs/CVE-2026-5773.html
https://hackerone.com/reports/3650689

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osama Hamad
Daniel Stenberg
.