High severity7.5NVD Advisory· Published May 13, 2026· Updated May 13, 2026

CVE-2026-5773

Description

libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should.

This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.

Affected products

Curl/Curlinferred
Haxx/Curl
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Range: >=7.40.0,<8.20.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/29/9nvdMailing ListPatchThird Party Advisory
curl.se/docs/CVE-2026-5773.htmlnvdPatchVendor Advisory
hackerone.com/reports/3650689nvdExploitIssue TrackingThird Party Advisory
curl.se/docs/CVE-2026-5773.jsonnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000