[security][HIGH] curl 8.18.0: 3 CVE require triage #3

New issue

Open

opened 2026-05-25 00:46:43 +03:00 by sbelikov · 0 comments

sbelikov commented

2026-05-25 00:46:43 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: curl
Version: 8.18.0
EVR: 8.18.0-2
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: HIGH
Max CVSS: 7.5
CVE count: 3

LLM recommendation / Рекомендация LLM

RU

Для пакета curl 8.18.0 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-3805, CVE-2026-5773, CVE-2026-6276. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for curl 8.18.0: CVE-2026-3805, CVE-2026-5773, CVE-2026-6276. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2026-3805	HIGH	7.5	cpe-range	needs_triage	package version is inside version range
CVE-2026-5773	HIGH	7.5	cpe-range	needs_triage	package version is inside version range
CVE-2026-6276	HIGH	7.5	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2026-3805

When doing a second SMB request to the same host again, curl would wrongly use
a data pointer pointing into already freed memory.

CVE-2026-5773

libcurl might in some circumstances reuse the wrong connection for SMB(S)
transfers.

libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical
error in the code, a network transfer operation that was requested by an
application could wrongfully reuse an existing SMB connection to the same
server that was using a different 'share' than the new subsequent transfer
should.

This could in unlucky situations lead to the download of the wrong file or the
upload of a file to the wrong place. When this happens, the same credentials
are used and the server name is the same.

CVE-2026-6276

Using libcurl, when a custom Host: header is first set for an HTTP request
and a second request is subsequently done using the same easy handle but
without the custom Host: header set, the second request would use stale
information and pass on cookies meant for the first host in the second
request. Leak them.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-3805",
    "CVE-2026-5773",
    "CVE-2026-6276"
  ],
  "fingerprint": "96b7f52379d92df7188d",
  "generated_at": "2026-05-24T21:46:43Z",
  "package": "curl",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "8.18.0"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `curl` - Version: `8.18.0` - EVR: `8.18.0-2` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `7.5` - CVE count: `3` ## LLM recommendation / Рекомендация LLM ### RU Для пакета curl 8.18.0 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-3805, CVE-2026-5773, CVE-2026-6276. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for curl 8.18.0: CVE-2026-3805, CVE-2026-5773, CVE-2026-6276. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-3805 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-5773 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-6276 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-3805 When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. ### CVE-2026-5773 libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same. ### CVE-2026-6276 Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-3805", "CVE-2026-5773", "CVE-2026-6276" ], "fingerprint": "96b7f52379d92df7188d", "generated_at": "2026-05-24T21:46:43Z", "package": "curl", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "8.18.0" } ```