{"id":"CURL-CVE-2026-3805","summary":"use after free in SMB connection reuse","details":"When doing a second SMB request to the same host again, curl would wrongly use\na data pointer pointing into already freed memory.","aliases":["CVE-2026-3805"],"modified":"2026-05-19T14:06:55.266025Z","published":"2026-03-11T08:00:00Z","database_specific":{"affects":"both","issue":"https://hackerone.com/reports/3591944","package":"curl","CWE":{"id":"CWE-416","desc":"Use After Free"},"www":"https://curl.se/docs/CVE-2026-3805.html","URL":"https://curl.se/docs/CVE-2026-3805.json","last_affected":"8.18.0","severity":"Medium"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.13.0"},{"fixed":"8.19.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"f4831daa9b2a97e8a2921d6b62cc4dfdd0d8646e"},{"fixed":"e090be9f73a7a71459ef678c7cc4b1f75e3ea883"}]}],"versions":["8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0","curl-8_14_1","curl-8_14_0","curl-8_13_0"],"database_specific":{"vanir_signatures_modified":"2026-05-19T14:06:55Z","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e090be9f73a7a71459ef678c7cc4b1f75e3ea883","target":{"file":"lib/smb.c","function":"smb_parse_url_path"},"deprecated":false,"signature_type":"Function","digest":{"length":724,"function_hash":"289847432197702324794191133246124145933"},"id":"CURL-CVE-2026-3805-2ab8a3de"},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e090be9f73a7a71459ef678c7cc4b1f75e3ea883","target":{"file":"lib/smb.c"},"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["163808748811371786782199699897667189542","325457013810826341318211040079781078716","294062214089768537536365967120238280223","132655654719507066228448899200264599584","324818812774752838867107657524014262896","160476659609237798664993381375506485381","335829492365890858833679582634694893217","289029429182370148455254646371324641286","56746537489207671791044405436147061958","33160512070584524310817563226480877156","102643015126280826627871954385407506312","290813323667203918291440619953973589670","184473145691120205563893336541950338029","5673371021612161770379471572141457256","167416925871956933097257764103393210532","165710950848604753851934805710205714833","21212123070025071099371863703377579277","66934316479251411395459401656526835667"]},"id":"CURL-CVE-2026-3805-8d0d6de0"},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/e090be9f73a7a71459ef678c7cc4b1f75e3ea883","target":{"file":"lib/smb.c","function":"smb_easy_dtor"},"deprecated":false,"signature_type":"Function","digest":{"length":150,"function_hash":"283418310670605729825737110288136594220"},"id":"CURL-CVE-2026-3805-cd34babf"}],"source":"https://curl.se/docs/CURL-CVE-2026-3805.json"}}],"schema_version":"1.7.5","credits":[{"name":"Daniel Wade","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}