{}

{}

{}

{"bugzilla": {"description": "curl: libcurl: Wrong file transfer due to incorrect SMB connection reuse", "id": "2461201", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461201"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-1025", "details": ["A flaw was found in libcurl. Due to a logical error in the connection reuse mechanism for SMB (Server Message Block) transfers, libcurl might reuse an existing SMB connection with a different share than intended. This vulnerability, categorized as CWE-488 (Exposure of Data Element to Wrong Session), could lead to the download of an incorrect file or the upload of a file to an unintended location when an application uses libcurl for SMB transfers."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid using SMB for transfers with libcurl. As SMB support is opt-in since curl 8.20.0 and SMBv1 is deprecated, ensuring SMB functionality is disabled or not utilized in applications leveraging libcurl will prevent exposure. If SMB is required, consider upgrading to curl 8.20.0 or later, which addresses this flaw by preventing SMB connection reuse."}, "name": "CVE-2026-5773", "package_state": [{"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "build-of-trustee/trustee-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "confidential-compute-attestation-tech-preview/trustee-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-operator-bundle", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-podvm-builder-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-rhel9-operator", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/eventrouter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/fluentd-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/log-file-metric-exporter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/logging-view-plugin-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/vector-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "s390utils", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "snphost", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "trustee", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "snphost", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rust", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "curl", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "rust", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:trusted_profile_analyzer:2", "fix_state": "Fix deferred", "package_name": "rhtpa/rhtpa-trustification-service-rhel9", "product_name": "Red Hat Trusted Profile Analyzer"}], "public_date": "2026-04-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5773\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5773\nhttps://curl.se/docs/CVE-2026-5773.html"], "statement": "This Moderate impact flaw in libcurl affects applications performing SMB transfers. A logical error in the SMB connection reuse mechanism can lead to unintended file downloads or uploads to incorrect locations. This impacts applications that rely on libcurl for secure and accurate SMB file operations.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 75.0, "confidence_source": "inferred", "scores": [{"score": 75.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "libcurl", "vendor": "curl"}], "created": "2026-05-01T01:30:05.582340+00:00", "updated": "2026-05-01T01:30:05.582374+00:00", "vendors": ["curl", "curl$PRODUCT$libcurl"]}