Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-29T00:00:00 curl: libcurl: Wrong file transfer due to incorrect SMB connection reuse 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CWE-1025

A flaw was found in libcurl. Due to a logical error in the connection reuse mechanism for SMB (Server Message Block) transfers, libcurl might reuse an existing SMB connection with a different share than intended. This vulnerability, categorized as CWE-488 (Exposure of Data Element to Wrong Session), could lead to the download of an incorrect file or the upload of a file to an unintended location when an application uses libcurl for SMB transfers.

This Moderate impact flaw in libcurl affects applications performing SMB transfers. A logical error in the SMB connection reuse mechanism can lead to unintended file downloads or uploads to incorrect locations. This impacts applications that rely on libcurl for secure and accurate SMB file operations. To mitigate this issue, avoid using SMB for transfers with libcurl. As SMB support is opt-in since curl 8.20.0 and SMBv1 is deprecated, ensuring SMB functionality is disabled or not utilized in applications leveraging libcurl will prevent exposure. If SMB is required, consider upgrading to curl 8.20.0 or later, which addresses this flaw by preventing SMB connection reuse. Red Hat Hardened Images 2026-05-02T00:00:00Z RHSA-2026:12916 curl-main-8.20.0-0.1.hum1 Confidential Compute Attestation Fix deferred build-of-trustee/trustee-rhel9 Confidential Compute Attestation Fix deferred confidential-compute-attestation-tech-preview/trustee-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-operator-bundle Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-podvm-builder-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-podvm-payload-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-rhel9-operator Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/cluster-logging-operator-bundle Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/cluster-logging-rhel9-operator Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/eventrouter-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/fluentd-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/log-file-metric-exporter-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/logging-view-plugin-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/vector-rhel9 Red Hat Enterprise Linux 10 Fix deferred curl Red Hat Enterprise Linux 10 Fix deferred rust Red Hat Enterprise Linux 10 Fix deferred s390utils Red Hat Enterprise Linux 10 Fix deferred snphost Red Hat Enterprise Linux 10 Fix deferred trustee Red Hat Enterprise Linux 10 Fix deferred trustee-guest-components Red Hat Enterprise Linux 6 Fix deferred curl Red Hat Enterprise Linux 7 Fix deferred curl Red Hat Enterprise Linux 8 Fix deferred curl Red Hat Enterprise Linux 9 Fix deferred curl Red Hat Enterprise Linux 9 Fix deferred rust Red Hat Enterprise Linux 9 Fix deferred snphost Red Hat Enterprise Linux 9 Fix deferred trustee-guest-components Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rust Red Hat Hardened Images Not affected rust Red Hat JBoss Core Services Fix deferred curl Red Hat OpenShift Container Platform 4 Fix deferred rhcos Red Hat OpenShift Dev Spaces Fix deferred devspaces/code-rhel9 Red Hat Trusted Profile Analyzer Fix deferred rhtpa/rhtpa-trustification-service-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-5773 https://nvd.nist.gov/vuln/detail/CVE-2026-5773 https://curl.se/docs/CVE-2026-5773.html