CVE-2026-3805: use after free in SMB connection reuse

Summary

A heap-use-after-free occurs in smb_send_open() at lib/smb.c when curl processes two SMB URLs targeting the same host. The function smb_parse_url_path() sets req->path as a non-owning pointer into smbc->share (connection-owned memory). During connection reuse, the needle connection is freed via Curl_conn_free() → smb_conn_dtor(), which frees smbc->share, but req->path (on the easy handle) still references the freed buffer. The subsequent strlen(req->path) in smb_send_open() reads freed heap memory.

Affected Version

curl 8.19.0-DEV (master branch, built March 8 2026) Platform: Ubuntu 22.04 on x86_64 (WSL2) Built with: gcc, OpenSSL, --enable-smb, -fsanitize=address