Cyber Posture

CVE-2026-3805

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3805 is a high-severity Use After Free (CWE-416) vulnerability in Haxx Curl. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection
addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Use-after-free in curl's SMB handling causes memory corruption and application crash on a second request to a malicious server, directly enabling remote DoS via application exploitation (T1499.004) with no other impacts or behaviors indicated.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

Deeper analysisAI

CVE-2026-3805 is a use-after-free vulnerability (CWE-416) in the curl library, published on 2026-03-11. It arises when curl processes a second SMB request to the same host, incorrectly using a data pointer that references already freed memory. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact denial of service due to availability disruption without confidentiality or integrity effects.

A network-accessible attacker can exploit this remotely without privileges or user interaction. By controlling an SMB server and inducing a curl-using application to issue a second SMB request to that host—such as through crafted network traffic or application inputs—the attacker triggers memory corruption, typically causing the application to crash and resulting in denial of service.

Official advisories from the curl project detail mitigations, including patches for affected versions, at https://curl.se/docs/CVE-2026-3805.html and https://curl.se/docs/CVE-2026-3805.json. Further technical discussion appears in the HackerOne disclosure report at https://hackerone.com/reports/3591944 and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/03/11/4. Security practitioners should review these resources promptly for upgrade guidance.

Details

CWE(s)
CWE-416

Affected Products

haxx
curl
8.13.0 — 8.19.0

CVEs Like This One

CVE-2026-6754Shared CWE-416
CVE-2026-23351Shared CWE-416
CVE-2026-27828Shared CWE-416
CVE-2026-25954Shared CWE-416
CVE-2026-4271Shared CWE-416
CVE-2026-28799Shared CWE-416
CVE-2026-26986Shared CWE-416
CVE-2026-26330Shared CWE-416
CVE-2025-63652Shared CWE-416
CVE-2024-56434Shared CWE-416

References