Vulnerability
curl/libcurl: Negotiate not treated as connection-oriented
libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient and completely transparent connection reuse for applications. When doing HTTP requests Negotiate authenticated, the entire connection may become authenticated and not only the specific HTTP request which is otherwise how HTTP works, as Negotiate can use NTLM under the hood. curl was not adhering to this fact but would assume that such requests would also be authenticated per request. The net effect is that libcurl may end up reusing an authenticated Negotiate connection and sending subsequent requests on it using new credentials, while the connection remains authenticated with a previous initial credentials setup.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
Mid-pack — moderate exploitation likelihood.
No VEX statements published for CVE-2015-3148. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.
No exploitation, limited impact or prevalence