CVE-2026-5773

Publication date 29 April 2026

Last updated 10 July 2026


Ubuntu priority

Cvss 3 Severity Score

7.5 · High

Score breakdown

Description

libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.

Read the notes from the security team

Why is this CVE low priority?

curl is dropping support for SMB later in 2026 and only supports SMB version 1

Learn more about Ubuntu priority

Mitigation

Avoid using SMB

Status

Package Ubuntu Release Status
curl 26.04 LTS resolute
Fixed 8.18.0-1ubuntu2.1
25.10 questing
Fixed 8.14.1-2ubuntu1.3
24.04 LTS noble
Fixed 8.5.0-2ubuntu10.9
22.04 LTS jammy
Fixed 7.81.0-1ubuntu1.24
20.04 LTS focal
Fixed 7.68.0-1ubuntu2.25+esm5
18.04 LTS bionic
Fixed 7.58.0-2ubuntu3.24+esm10
16.04 LTS xenial
Fixed 7.47.0-1ubuntu2.19+esm17
14.04 LTS trusty
Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes


ebarretto

Introduced-in: https://github.com/curl/curl/commit/aec2e865f0

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
curl

Severity score breakdown

CVSS version: CVSS v3.0

Base score 7.5 · High

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

Other references


Access our resources on patching vulnerabilities