VDB
DEBIAN-CVE-2026-5773
DEBIAN-CVE-2026-5773
PUBLISHED
CVSS 7.5 HIGH
libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | curl | 8.16.0-1, 8.3.0-2~bpo12+1, 8.3.0-2~exp1 |
| Debian:14 | curl | 8.18.0-1, 8.18.0-1~bpo13+1, 8.18.0-2 |
| Debian:13 | curl | 8.17.0-2, 8.17.0-3, 8.17.0 |
| Debian:11 | curl | 8.7.1-1, *, 0 |
Timeline
- Apr 29, 2026 CVE Published
- May 14, 2026 CVE Updated