libcurl CVE-2026-5773 SMB connection reuse vulnerability advisory

Vulnerability Overview Vulnerability ID: CVE-2026-5773 Description: In certain situations, libcurl may incorrectly reuse SMB (Server Message Block) connections. libcurl maintains a pool of recently used connections to reuse them under certain conditions to avoid overhead. However, due to a logic error in the code, libcurl may incorrectly reuse an SMB connection that was previously used for a different "share," leading to downloading the wrong file or uploading to the wrong server. Severity: Low Publication Date: 2026-04-29T08:00:00Z Last Affected Version: 8.19.0 Affected Versions Affected Versions: - 8.19.0, 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0, 8.7.1, 8.7.0, 8.6.0, 8.5.0, 8.4.0, 8.3.0, 8.2.1, 8.2.0, 8.1.2, 8.1.1, 8.1.0 - 8.0.1, 8.0.0, 7.88.1, 7.88.0, 7.87.0, 7.86.0, 7.85.0, 7.84.0, 7.83.1, 7.83.0, 7.82.0, 7.81.0, 7.80.0, 7.79.1, 7.79.0, 7.78.0, 7.77.0, 7.76.1, 7.76.0, 7.75.0, 7.74.0, 7.73.0, 7.72.0, 7.71.1, 7.71.0, 7.70.0, 7.69.1, 7.68.0, 7.67.0, 7.66.0, 7.65.3, 7.65.1, 7.65.0, 7.64.1, 7.64.0, 7.63.0, 7.62.0, 7.61.1, 7.61.0, 7.60.0, 7.59.0, 7.58.0, 7.57.0, 7.56.1, 7.56.0, 7.55.1, 7.55.0, 7.54.1, 7.54.0, 7.53.1, 7.53.0, 7.52.1, 7.52.0, 7.51.0, 7.50.3, 7.50.2, 7.50.1, 7.50.0, 7.49.1, 7.49.0, 7.48.0, 7.47.1, 7.47.0, 7.46.0, 7.45.0, 7.44.0, 7.43.0, 7.42.1, 7.42.0, 7.41.0, 7.40.0 Remediation Fixed Version: 8.20.0 Git Repository: https://github.com/curl/curl.git Fix Commit: 74a169575d6412dcff532acf94de35a6c2571 Details Discovered By: Osama Hamad Fixed By: Daniel Stenberg Details: libcurl may incorrectly reuse SMB connections in certain situations. libcurl maintains a pool of recently used connections to reuse them under certain conditions to avoid overhead. However, due to a logic error in the code, libcurl may incorrectly reuse an SMB connection that was previously used for a different "share," leading to downloading the wrong file or uploading to the wrong server. When this occurs, the same credentials/username will be reused, and the server name will be reused.

Goal Reached Thanks to every supporter — we hit 100%!

libcurl CVE-2026-5773 SMB connection reuse vulnerability advisory