{"id":"CURL-CVE-2026-5773","summary":"wrong reuse of SMB connection","details":"libcurl might in some circumstances reuse the wrong connection for SMB(S)\ntransfers.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criteria must be met. Due to a logical\nerror in the code, a network transfer operation that was requested by an\napplication could wrongfully reuse an existing SMB connection to the same\nserver that was using a different \"share\" than the new subsequent transfer\nshould.\n\nThis could in unlucky situations lead to the download of the wrong file or the\nupload of a file to the wrong place. When this happens, the same credentials\nare used and the server name is the same.","aliases":["CVE-2026-5773"],"modified":"2026-04-29T08:02:59.005059Z","published":"2026-04-29T08:00:00Z","database_specific":{"last_affected":"8.19.0","CWE":{"id":"CWE-488","desc":"Exposure of Data Element to Wrong Session"},"URL":"https://curl.se/docs/CVE-2026-5773.json","issue":"https://hackerone.com/reports/3650689","www":"https://curl.se/docs/CVE-2026-5773.html","affects":"both","severity":"Low","package":"curl"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.40.0"},{"fixed":"8.20.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"aec2e865f06669b9cb5d26cc1148d70bc418b163"},{"fixed":"74a169575d6412dc0ff532acdf94de35a6c2a571"}]}],"versions":["8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0"],"database_specific":{"vanir_signatures":[{"digest":{"line_hashes":["283484103587021140185473640195385188213","51413613464287816571195646581916328705","50657125667698113139735675550160507197","109745977035312476342802684866473502970","155876444996527445678040642288005699706","189120337197838981146493639364407128017","110638884583177156814419953150639226214","58536000395487246013630143241898699709"],"threshold":0.9},"id":"CURL-CVE-2026-5773-ce96841d","deprecated":false,"target":{"file":"lib/protocol.c"},"source":"https://github.com/curl/curl.git/commit/74a169575d6412dc0ff532acdf94de35a6c2a571","signature_type":"Line","signature_version":"v1"}],"source":"https://curl.se/docs/CURL-CVE-2026-5773.json","vanir_signatures_modified":"2026-04-29T08:02:59Z"}}],"schema_version":"1.7.5","credits":[{"name":"Osama Hamad","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}