CVE-2026-5773 Overview
CVE-2026-5773 is a high-severity logic flaw in libcurl that causes incorrect connection reuse for Server Message Block (SMB) and SMBS transfers. The library maintains a pool of recent connections to reduce overhead on subsequent requests. A flaw in the reuse criteria allows an application's network transfer to incorrectly select an existing SMB connection bound to a different share on the same server. This can result in downloading the wrong file or uploading data to an unintended location. The same credentials are used and the server name matches, so authentication does not block the misrouted transfer.
Critical Impact
Applications relying on libcurl for SMB or SMBS transfers may read or write files against the wrong network share, exposing sensitive data through misrouted I/O operations.
Affected Products
- Haxx curl (libcurl) — SMB and SMBS transfer functionality
- Applications and services that link against libcurl for SMB(S) operations
- Systems using libcurl connection pooling with multiple SMB shares on the same host
Discovery Timeline
- 2026-05-13 - CVE-2026-5773 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-5773
Vulnerability Analysis
libcurl caches recently used network connections so subsequent requests can avoid the cost of reconnecting and reauthenticating. Each candidate connection is compared against a set of criteria before reuse to ensure protocol, host, port, credentials, and other context align with the new request.
For SMB and SMBS transfers, the comparison logic does not include the SMB share name. When an application initiates a new SMB transfer to a server it has previously contacted, libcurl may select a pooled connection that is currently bound to a different share. The transfer then proceeds against the wrong share without any error condition surfacing to the calling application.
The impact is confined to confidentiality and data integrity for SMB workloads. The CVSS vector reflects network attack reachability and high confidentiality impact with no required privileges or user interaction.
Root Cause
The root cause is a missing equality check on the SMB share component during connection reuse evaluation. The reuse logic treats two connections to the same host with the same credentials as interchangeable, even when each connection is scoped to a different share. This is classified under [CWE-918] as a server-side request forgery–style flaw where the destination resource does not match the requested resource.
Attack Vector
Exploitation requires an application that performs SMB or SMBS transfers across multiple shares on the same server using a shared libcurl handle pool. An attacker who can influence the sequence of transfer requests, or who controls the server hosting the shares, may cause sensitive uploads to land on an attacker-readable share or cause sensitive downloads to be sourced from an attacker-controlled share. The vulnerability does not require authentication bypass because the legitimate credentials are reused on the wrong destination.
No verified proof-of-concept code is available. See the Curl CVE-2026-5773 Documentation and the HackerOne Report #3650689 for upstream technical details.
Detection Methods for CVE-2026-5773
Indicators of Compromise
- SMB or SMBS transfer log entries where the resolved share name differs from the share requested by the application
- Files appearing on SMB shares that do not correspond to any sanctioned upload workflow
- Unexpected read access to SMB resources from service accounts that use libcurl-based clients
Detection Strategies
- Inventory all applications and packages linking against libcurl and identify those configured to perform SMB(S) transfers
- Correlate application transfer logs with SMB server audit logs to identify mismatches between intended and actual share targets
- Review libcurl version strings reported by deployed binaries against the fixed upstream release listed in the curl advisory
Monitoring Recommendations
- Enable SMB server-side auditing for file create, read, and write events and forward events to a central data lake for correlation
- Alert on writes to administrative or sensitive shares originating from service identities associated with libcurl-based applications
- Track changes to libcurl package versions across endpoints and servers to confirm patch deployment coverage
How to Mitigate CVE-2026-5773
Immediate Actions Required
- Upgrade libcurl to the patched release identified in the Curl CVE-2026-5773 Documentation
- Audit applications that issue SMB or SMBS transfers through libcurl and confirm they receive the fixed library at link time
- Restrict libcurl-based service accounts to the minimum set of SMB shares required for their function
Patch Information
The curl project has published an advisory and machine-readable JSON record for this issue. Refer to the Curl CVE-2026-5773 Documentation and the Curl CVE-2026-5773 JSON Data for the affected version range and fix commit. Distribution maintainers are tracking the issue through the Openwall OSS Security Post.
Workarounds
- Disable connection reuse for SMB transfers by setting CURLOPT_FORBID_REUSE to 1L on affected easy handles until libcurl is upgraded
- Use a dedicated CURL handle per SMB share to prevent pooled connections from being shared across shares
- Avoid mixing SMB transfers to different shares on the same server within a single connection pool lifetime
# Configuration example: force a fresh connection per SMB transfer
# Apply in application code that wraps libcurl
curl_easy_setopt(handle, CURLOPT_FORBID_REUSE, 1L);
curl_easy_setopt(handle, CURLOPT_FRESH_CONNECT, 1L);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
