curl SMB UAF: freed memory used on repeated request
CVE-2026-3805 Published on March 11, 2026
use after free in SMB connection reuse
When doing a second SMB request to the same host again, curl would wrongly use
a data pointer pointing into already freed memory.
Products Associated with CVE-2026-3805
Want to know whenever a new CVE is published for Haxx Curl? stack.watch will email you.
Affected Versions
curl:- Version 8.18.0, <= 8.18.0 is affected.
- Version 8.17.0, <= 8.17.0 is affected.
- Version 8.16.0, <= 8.16.0 is affected.
- Version 8.15.0, <= 8.15.0 is affected.
- Version 8.14.1, <= 8.14.1 is affected.
- Version 8.14.0, <= 8.14.0 is affected.
- Version 8.13.0, <= 8.13.0 is affected.