curl, Use After Free, CVE-2026-3805 (Medium)

Listen to this Post

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. The root cause lies in the SMB connection handler, specifically within the `smb_parse_url_path()` function. When parsing the first SMB URL, the function stores a non-owning pointer (req->path) that points to a memory buffer allocated for the connection’s share name (smbc->share). After the first SMB request completes, if the connection is kept alive and reused for a second request to the same host, the library frees the `smbc->share` buffer during the connection teardown process . However, the `req->path` pointer, which was intended for the new request, is not updated or invalidated; it still points to the now-freed memory . When the second request is processed, a subsequent call to `strlen(req->path)` is made . This dereferences the dangling pointer, leading to a read of freed heap memory. This results in a heap-use-after-free condition, which can cause the application to crash . While the crash is the most likely outcome, if the freed memory has been reallocated with attacker-controlled data before the `strlen` call, it could potentially lead to information leakage . The vulnerability exists only in versions where SMB support is enabled and connection reuse occurs .

DailyCVE Form:

Platform: cURL/libcurl
Version: 8.13.0-8.18.0
Vulnerability: Use After Free
Severity: Medium
Date: 2026-03-11

Prediction: Patch by 2026-03-11

What Undercode Say:

Analytics:

`git clone https://github.com/curl/curl.git`

`cd curl && git checkout curl-8_18_0</h2>
<h2 style="color: blue;">
./configure –enable-smb –enable-debug –enable-asan</h2>
<h2 style="color: blue;">
make && src/curl -V</h2>
<h2 style="color: blue;">
./scripts/run_uaf.sh</h2>
<h2 style="color: blue;">How Exploit:</h2>
<h2 style="color: blue;">1. Setup fake SMB server.</h2>
<h2 style="color: blue;">2. Build curl with ASAN.</h2>
<h2 style="color: blue;">3. Execute first SMB request.</h2>
<h2 style="color: blue;">4. Reuse connection for second.</h2>
<h2 style="color: blue;">5. Trigger `strlen` on freed pointer.</h2>
<h2 style="color: blue;">6. Observe heap-use-after-free.</h2>
<h2 style="color: blue;">
smb_send_open()+fake_smb_server.py</h2>
<h2 style="color: blue;">Protection from this CVE:</h2>
<h2 style="color: blue;">Upgrade to 8.19.0</h2>
<h2 style="color: blue;">Apply official patch</h2>
<h2 style="color: blue;">Avoid SMB transfers</h2>
<h2 style="color: blue;">Disable SMB protocol</h2>
<h2 style="color: blue;">Rebuild libcurl without SMB</h2>
<h2 style="color: blue;">
./configure –disable-smb`

Impact:

Denial of Service

Potential Information Leak

Client Memory Corruption

Crashes in Applications

Unpredictable program behavior

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top