CURL-CVE-2026-3805

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-3805.html

Import Source

https://curl.se/docs/CURL-CVE-2026-3805.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-3805

Aliases

CVE-2026-3805

Published

2026-03-11T08:00:00Z

Modified

2026-03-13T05:56:40.803423Z

Summary

use after free in SMB connection reuse

Details

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

Database specific

{
    "package": "curl",
    "issue": "https://hackerone.com/reports/3591944",
    "severity": "Medium",
    "URL": "https://curl.se/docs/CVE-2026-3805.json",
    "affects": "both",
    "CWE": {
        "desc": "Use After Free",
        "id": "CWE-416"
    },
    "www": "https://curl.se/docs/CVE-2026-3805.html",
    "last_affected": "8.18.0"
}

References

Credits

- Daniel Wade - FINDER
- Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.13.0

Fixed

8.19.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

f4831daa9b2a97e8a2921d6b62cc4dfdd0d8646e

Fixed

e090be9f73a7a71459ef678c7cc4b1f75e3ea883

Affected versions

8.*

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CURL-CVE-2026-3805-2ab8a3de",
        "target": {
            "file": "lib/smb.c",
            "function": "smb_parse_url_path"
        },
        "digest": {
            "length": 724.0,
            "function_hash": "289847432197702324794191133246124145933"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/e090be9f73a7a71459ef678c7cc4b1f75e3ea883"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CURL-CVE-2026-3805-8d0d6de0",
        "target": {
            "file": "lib/smb.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "163808748811371786782199699897667189542",
                "325457013810826341318211040079781078716",
                "294062214089768537536365967120238280223",
                "132655654719507066228448899200264599584",
                "324818812774752838867107657524014262896",
                "160476659609237798664993381375506485381",
                "335829492365890858833679582634694893217",
                "289029429182370148455254646371324641286",
                "56746537489207671791044405436147061958",
                "33160512070584524310817563226480877156",
                "102643015126280826627871954385407506312",
                "290813323667203918291440619953973589670",
                "184473145691120205563893336541950338029",
                "5673371021612161770379471572141457256",
                "167416925871956933097257764103393210532",
                "165710950848604753851934805710205714833",
                "21212123070025071099371863703377579277",
                "66934316479251411395459401656526835667"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/e090be9f73a7a71459ef678c7cc4b1f75e3ea883"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CURL-CVE-2026-3805-cd34babf",
        "target": {
            "file": "lib/smb.c",
            "function": "smb_easy_dtor"
        },
        "digest": {
            "length": 150.0,
            "function_hash": "283418310670605729825737110288136594220"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/e090be9f73a7a71459ef678c7cc4b1f75e3ea883"
    }
]

source

"https://curl.se/docs/CURL-CVE-2026-3805.json"