rpms/curl

Fork 0

[security][HIGH] curl 8.18.0: CVE-2026-3805 require triage #1

New issue

Closed

opened 2026-04-29 04:39:31 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:39:31 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: curl
Version: 8.18.0
EVR: 8.18.0-1
Category: security
Policy class: security-critical
NiceOS policy class: -
Owner: security-team
Severity: HIGH
Max CVSS: 7.5
CVE count: 1

LLM recommendation / Рекомендация LLM

RU

Уязвимость памяти в curl (CVE-2026-3805): использование освобожденного указателя при повторном SMB-запросе к тому же хосту.

Немедленно обновить пакет curl до версии, исправляющей уязвимость, или применить патч, если обновление недоступно. Избегайте повторных SMB-запросов к тем же узлам без пересоздания сессий.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: 1. Проверить наличие CVE-2026-3805 в списке известных уязвимостей для текущей версии curl.
2. Протестировать повторные SMB-запросы к одному хосту с использованием curl.
3. Проверить стабильность процесса и отсутствие сбоев памяти (segfaults) после обновления.

Риски: Возможное выполнение произвольного кода или отказ в обслуживании при обработке специфических SMB-запросов из-за использования освобожденной памяти.

EN

Memory use-after-free vulnerability in curl (CVE-2026-3805): using a freed pointer during a second SMB request to the same host.

Immediately update the curl package to a version fixing the vulnerability, or apply a patch if an update is unavailable. Avoid making repeated SMB requests to the same nodes without re-creating sessions.

Recommended action: needs_triage

Target version hint: -

Tests: 1. Verify if CVE-2026-3805 is listed in known vulnerabilities for the current curl version.
2. Test repeated SMB requests to the same host using curl.
3. Check process stability and absence of memory crashes (segfaults) after updating.

Risks: Potential arbitrary code execution or denial of service when processing specific SMB requests due to use of freed memory.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2026-3805	HIGH	7.5	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2026-3805

When doing a second SMB request to the same host again, curl would wrongly use
a data pointer pointing into already freed memory.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-3805"
  ],
  "fingerprint": "1df0d60fa46b4fe5bb84",
  "generated_at": "2026-04-29T01:39:30Z",
  "package": "curl",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "8.18.0"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `curl` - Version: `8.18.0` - EVR: `8.18.0-1` - Category: `security` - Policy class: `security-critical` - NiceOS policy class: `-` - Owner: `security-team` - Severity: `HIGH` - Max CVSS: `7.5` - CVE count: `1` ## LLM recommendation / Рекомендация LLM ### RU Уязвимость памяти в curl (CVE-2026-3805): использование освобожденного указателя при повторном SMB-запросе к тому же хосту. Немедленно обновить пакет curl до версии, исправляющей уязвимость, или применить патч, если обновление недоступно. Избегайте повторных SMB-запросов к тем же узлам без пересоздания сессий. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** 1. Проверить наличие CVE-2026-3805 в списке известных уязвимостей для текущей версии curl. 2. Протестировать повторные SMB-запросы к одному хосту с использованием curl. 3. Проверить стабильность процесса и отсутствие сбоев памяти (segfaults) после обновления. **Риски:** Возможное выполнение произвольного кода или отказ в обслуживании при обработке специфических SMB-запросов из-за использования освобожденной памяти. ### EN Memory use-after-free vulnerability in curl (CVE-2026-3805): using a freed pointer during a second SMB request to the same host. Immediately update the curl package to a version fixing the vulnerability, or apply a patch if an update is unavailable. Avoid making repeated SMB requests to the same nodes without re-creating sessions. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** 1. Verify if CVE-2026-3805 is listed in known vulnerabilities for the current curl version. 2. Test repeated SMB requests to the same host using curl. 3. Check process stability and absence of memory crashes (segfaults) after updating. **Risks:** Potential arbitrary code execution or denial of service when processing specific SMB requests due to use of freed memory. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-3805 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-3805 When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-3805" ], "fingerprint": "1df0d60fa46b4fe5bb84", "generated_at": "2026-04-29T01:39:30Z", "package": "curl", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "8.18.0" } ```

sbelikov added the

labels

2026-04-29 04:39:31 +03:00

sbelikov commented

2026-04-30 00:27:38 +03:00

Author

Owner

Fixed in curl-8.18.0-2 on branch niceos-5.2.

Triage result:

CVE	NiceOS status	Resolution
CVE-2026-3805	fixed	Backported upstream SMB connection reuse fix onto the NiceOS 5.2 pinned curl 8.18.x line.

Details:

Upstream marks curl 8.13.0 through 8.18.0 as affected.
Upstream fixed the issue in curl 8.19.0 with commit e090be9f73a7a71459ef678c7cc4b1f75e3ea883.
NiceOS keeps Version: 8.18.0 and bumps Release to 2 to avoid unnecessary behavior changes in the stable branch.
The patch changes only SMB request path lifetime handling in lib/smb.c.
No public ABI change is expected: SONAME remains libcurl.so.4; public headers and exported libcurl API are unchanged.

Verification:

rpmbuild -bp confirms the patched SMB code is present in the prepared build tree.
rpmbuild -ba SPECS/curl.spec completed successfully.
Upgrade test completed successfully.
curl --version completed successfully.
Basic HTTPS smoke test completed successfully.
SONAME check confirms libcurl.so.4.

Closing as fixed by backport.

Fixed in `curl-8.18.0-2` on branch `niceos-5.2`. Triage result: | CVE | NiceOS status | Resolution | |---|---|---| | CVE-2026-3805 | fixed | Backported upstream SMB connection reuse fix onto the NiceOS 5.2 pinned curl 8.18.x line. | Details: - Upstream marks curl 8.13.0 through 8.18.0 as affected. - Upstream fixed the issue in curl 8.19.0 with commit `e090be9f73a7a71459ef678c7cc4b1f75e3ea883`. - NiceOS keeps `Version: 8.18.0` and bumps `Release` to `2` to avoid unnecessary behavior changes in the stable branch. - The patch changes only SMB request path lifetime handling in `lib/smb.c`. - No public ABI change is expected: SONAME remains `libcurl.so.4`; public headers and exported libcurl API are unchanged. Verification: - `rpmbuild -bp` confirms the patched SMB code is present in the prepared build tree. - `rpmbuild -ba SPECS/curl.spec` completed successfully. - Upgrade test completed successfully. - `curl --version` completed successfully. - Basic HTTPS smoke test completed successfully. - SONAME check confirms `libcurl.so.4`. Closing as fixed by backport.

sbelikov closed this issue

2026-04-30 00:27:38 +03:00