Vulnerability in Curl

CVE-2026-3805

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

EPSS: 0.000 (9.0th percentile) — read the EPSS interpretation.

Affected products

Curl — versions 8.18.0, 8.17.0, 8.16.0

Public proof-of-concept exploits

Rat5ak/CVE-2026-3805-curl-SMB-UAF

References

Frequently asked questions

What is CVE-2026-3805?: CVE-2026-3805 is a vulnerability in Curl, classified under CWE-416 USE AFTER FREE. Published 2026-03-11.
Is CVE-2026-3805 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.