CVE-2026-3805: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

CVE-2026-3805 [HIGH] CWE-416 GHSA-2289-hhfc-p684: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

CVE-2026-1965 [LOW] curl vulnerabilities curl vulnerabilities Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784) Daniel Wade discovered that curl incorrectly handled certain memory operations when doing a s

CVE-2026-3805 [HIGH] CVE-2026-3805: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

CVE-2025-0167 [LOW] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784) Daniel Wade discovered that curl

CVE-2026-3805 [HIGH] CWE-825 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. A flaw was found in curl. When handling a second Server Message Block (SMB) request to the same host, curl incorrectly accesses memory that has already been freed. This memory corruption vulnerability, known as a use-after-free, could allow a remote attacker to potentially execute arbitrary code or cause a denial of service. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or sta

CVE-2026-3805 [HIGH] use after free in SMB connection reuse use after free in SMB connection reuse Mariner: Mariner curl: curl Customer Action Required: Yes

CVE-2026-3805 [HIGH] CVE-2026-3805: curl - When doing a second SMB request to the same host again, curl would wrongly use a... When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 8.19.0-1) sid: resolved (fixed in 8.19.0-1) trixie: open

CVE-2025-15224 [LOW] CVE-2025-15224 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-15224 : cURL vulnerability analysis and mitigation When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. Source : NVD ## 3.1 Score Published January 8, 2026 Severity LOW CNA Score 3.1 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 24.4 Exploitation Probability (EPSS) 0.1 Affected packages and libraries curl libcurl4 Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity LOW No Fix Added at: Jan 21, 2026 Alpine 3.22, 3.23 Severity LOW No Fix Added at: Jan 28, 2026

CVE-2025-15079 [MEDIUM] CVE-2025-15079 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-15079 : cURL vulnerability analysis and mitigation When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file. Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 10.3 Exploitation Probability (EPSS) N/A Affected packages and libraries curl-debuginfo libcurl-devel Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MED

CVE-2025-14819 [MEDIUM] CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14819 : cURL vulnerability analysis and mitigation CURLSSLOPT_NO_PARTIALCHAIN Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 13.9 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl-minimal-debuginfo libcurl-devel-doc Sources Alpine 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDIUM Has Fix Added at: Jan 21, 2026 Alpine 3.22, 3.23 Severity MEDIUM Has Fix Added at: Jan 28, 2026 Alpine edge Severity MEDIUM Has Fix Added at: Jan 08, 2026 Container-Optimized OS Severity MEDIUM Has Fix Added at: Mar 03, 2026 Debian 1

CVE-2026-3805 [MEDIUM] CVE-2026-3805 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3805 : cURL vulnerability analysis and mitigation When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. Source : NVD ## 7.5 Score Published March 11, 2026 Severity HIGH CNA Score 7.5 Affected Technologies cURL Libcurl Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 11.7 Exploitation Probability (EPSS) N/A Affected packages and libraries rust-debugger-common rust-src Sources Alpine 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH Has Fix Added at: Mar 13, 2026 Debian 13 Severity MEDIUM No Fix Added at: Mar 12, 2026 Debian 14 Severity HIGH Has Fix Added at: Mar 12, 2026 Homebrew Severity HI

CVE-2025-14524 [MEDIUM] CVE-2025-14524 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14524 : cURL vulnerability analysis and mitigation When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 7.2 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl-devel-32bit curl-zsh-completion Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDI

CVE-2026-3784 [MEDIUM] CVE-2026-3784 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3784 : cURL vulnerability analysis and mitigation curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. Source : NVD ## 6.5 Score Published March 11, 2026 Severity MEDIUM CNA Score 6.5 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 3.1 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl rust-doc Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Added at: Mar 13, 20

CVE-2026-1965 [MEDIUM] CVE-2026-1965 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-1965 : cURL vulnerability analysis and mitigation libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests , contrary to how HTTP is designed to work. user1:password1 user2:password2 CURLOPT_HTTPAUTH CURLOPT_FRESH_CONNECT C

CVE-2025-13034 [MEDIUM] CVE-2025-13034 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-13034 : cURL vulnerability analysis and mitigation CURLOPT_PINNEDPUBLICKEY --pinnedpubkey This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. Source : NVD ## 5.9 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.9 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 1.2 Exploitation Probability (EPSS) N/A Affected packages and libraries curl curl

CVE-2025-11563 [MEDIUM] CVE-2025-11563 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-11563 : cURL vulnerability analysis and mitigation ## Overview CVE-2025-11563 is a path traversal vulnerability affecting wcurl, discovered on October 6, 2025, and publicly disclosed on November 4, 2025. The vulnerability affects wcurl versions shipped with curl 8.14.0 to 8.16.0 and standalone wcurl versions from 2024.12.08 to 2025.09.27. This security flaw allows URLs containing percent-encoded slashes (/ or ) to trick wcurl into saving output files outside of the current directory without explicit user permission ( Curl Advisory ). ## Technical details The vulnerability is classified as CWE-35: Path Traversal with a Moderate severity rating. The issue stems from wcurl's handling of percent-encoded slashes in URLs, where the tool incorrectly processes URLs containing p

CVE-2025-14017 [MEDIUM] CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14017 : cURL vulnerability analysis and mitigation When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. Source : NVD ## 6.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 6.3 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 0.6 Exploitation Probability (EPSS) N/A Affected packages and libraries snphost cpe:2.3:a:haxx:curl Sources Alp

CVE-2026-3783 [MEDIUM] CVE-2026-3783 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3783 : cURL vulnerability analysis and mitigation When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. machine default Source : NVD ## 5.3 Score Published March 11, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 3.5 Exploitation Probability (EPSS) N/A Affected packages and libraries s390utils-mon_statd trustee-guest-components Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Ad

CVE-2026-3805 [HIGH] CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-43] CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-43] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: FEDORA-2026-66db242036 (curl-8.15.0-6.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-66db242036 --- FEDORA-2026-66db242036 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-66db242036` You can provide feedback for this upd

CVE-2026-3805 [HIGH] CVE-2026-3805 rpi-imager: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42] CVE-2026-3805 rpi-imager: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it

CVE-2026-3805 [HIGH] CVE-2026-3805: use after free in SMB connection reuse CVE-2026-3805: use after free in SMB connection reuse ## Summary A heap-use-after-free occurs in `smb_send_open()` at `lib/smb.c` when curl processes two SMB URLs targeting the same host. The function `smb_parse_url_path()` sets `req->path` as a non-owning pointer into `smbc->share` (connection-owned memory). During connection reuse, the needle connection is freed via `Curl_conn_free()` → `smb_conn_dtor()`, which frees `smbc->share`, but `req->path` (on the easy handle) still references the freed buffer. The subsequent `strlen(req->path)` in `smb_send_open()` reads freed heap memory. ## Affected Version curl 8.19.0-DEV (master branch, built March 8 2026) Platform: Ubuntu 22.04 on x86_64 (WSL2) Built with: gcc, OpenSSL, --enable-smb, -fsanitize=address ## Steps To Reproduce 1. Clone a

CVE-2026-3805 [HIGH] CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

CVE-2026-3805 [HIGH] CVE-2026-3805 mingw-curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42] CVE-2026-3805 mingw-curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it

CVE-2026-3805 [HIGH] CVE-2026-3805 trustee-guest-components: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42] CVE-2026-3805 trustee-guest-components: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you

CVE-2026-3805 [HIGH] CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42] CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: FEDORA-2026-907bbf2a13 (curl-8.11.1-8.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-907bbf2a13 --- FEDORA-2026-907bbf2a13 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-907bbf2a13` You can provide feedback for this upd