curl 8.19.0 Patches Four Security Vulnerabilities Including SMB Use-After-Free
The curl project has released version 8.19.0 with fixes for four security vulnerabilities, including CVE-2026-3805 — a use-after-free bug in SMB connection reuse that could leak sensitive data from freed memory. The release also addresses credential leaks during redirects and incorrect proxy connection reuse.
The curl project has released version 8.19.0 — its 273rd release — with fixes for four security vulnerabilities discovered through a combination of internal auditing and external reports. The most serious flaw, CVE-2026-3805, is a use-after-free bug in SMB connection reuse that could leak sensitive data from previously freed memory.
CVE-2026-3805: SMB Use-After-Free
When curl reuses an SMB connection for a subsequent transfer, a code path exists where the library calls strlen() on a pointer to memory that has already been freed. Depending on what now occupies that memory, the operation could read and potentially transmit sensitive data from the process's heap — including credentials, tokens, or other secrets from previous operations. The bug has existed since SMB support was added and affects any application using libcurl with SMB URLs and connection reuse enabled.
Additional Fixes
CVE-2026-1965 addresses a flaw in HTTP Negotiate (SPNEGO/Kerberos) authentication where curl could incorrectly reuse a connection that had been authenticated with different credentials. An attacker who could influence connection pooling behavior could potentially access resources using another user's authentication context.
CVE-2026-3783 fixes a token leak that occurs when curl follows a redirect while using a .netrc file for credentials. Under specific conditions, the authentication token from the original request could be sent to the redirect target — a different host that should not receive the credentials. CVE-2026-3784 addresses a related issue where proxy connections could be reused even when the credentials associated with them differed from the current request.
Release Statistics
Beyond the security fixes, curl 8.19.0 includes 264 bug fixes from 538 commits contributed by 77 developers over the 56-day release cycle. The project's maintainer Daniel Stenberg noted that this release continues curl's track record of addressing security issues promptly — the project has fixed over 150 CVEs since its inception, with an average time-to-fix of under 30 days.
Users of any curl or libcurl version prior to 8.19.0 should upgrade, particularly those using SMB protocol support or HTTP Negotiate authentication.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.