new file mode 100644
@@ -0,0 +1,46 @@
+From 33e43985b8f3b9e66691d06e70be0395849856cd Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Thu, 2 Apr 2026 11:33:39 +0200
+Subject: [PATCH] url: improve connection reuse on negotiate
+
+Check state of negotiate to allow proper connection reuse.
+
+Closes #21203
+
+CVE: CVE-2026-5545
+Upstream-Status: Backport [https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd]
+
+(cherry picked from commit 33e43985b8f3b9e66691d06e70be0395849856cd)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/url.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index b9e308a..7c24f1a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1110,11 +1110,17 @@ static bool url_match_auth_ntlm(struct connectdata *conn,
+ if(m->want_ntlm_http) {
+ if(Curl_timestrcmp(m->needle->user, conn->user) ||
+ Curl_timestrcmp(m->needle->passwd, conn->passwd)) {
+-
+ /* we prefer a credential match, but this is at least a connection
+- that can be reused and "upgraded" to NTLM */
+- if(conn->http_ntlm_state == NTLMSTATE_NONE)
++ that can be reused and "upgraded" to NTLM if it does
++ not have any auth ongoing. */
++#ifdef USE_SPNEGO
++ if((conn->http_ntlm_state == NTLMSTATE_NONE)
++ && (conn->http_negotiate_state == GSS_AUTHNONE)) {
++#else
++ if(conn->http_ntlm_state == NTLMSTATE_NONE) {
++#endif
+ m->found = conn;
++ }
+ return FALSE;
+ }
+ }
+--
+2.43.7
+
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5545.patch \
file://mbedtls.patch \
"