Home

Description

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

PUBLISHED Reserved 2026-06-01 | Published 2026-07-03 | Updated 2026-07-06 | Assigner curl

Problem types

CWE-416 Use After Free

Product status

Default status
unaffected

8.20.0 (semver)
affected

8.19.0 (semver)
affected

8.18.0 (semver)
affected

8.17.0 (semver)
affected

8.16.0 (semver)
affected

8.15.0 (semver)
affected

8.14.1 (semver)
affected

8.14.0 (semver)
affected

8.13.0 (semver)
affected

8.12.1 (semver)
affected

8.12.0 (semver)
affected

8.11.1 (semver)
affected

8.11.0 (semver)
affected

8.10.1 (semver)
affected

8.10.0 (semver)
affected

8.9.1 (semver)
affected

8.9.0 (semver)
affected

8.8.0 (semver)
affected

8.7.1 (semver)
affected

8.7.0 (semver)
affected

8.6.0 (semver)
affected

8.5.0 (semver)
affected

8.4.0 (semver)
affected

8.3.0 (semver)
affected

8.2.1 (semver)
affected

8.2.0 (semver)
affected

8.1.2 (semver)
affected

8.1.1 (semver)
affected

8.1.0 (semver)
affected

8.0.1 (semver)
affected

8.0.0 (semver)
affected

7.88.1 (semver)
affected

7.88.0 (semver)
affected

Credits

Joshua Rogers (Aisle Research) finder

Stefan Eissing remediation developer

References

hackerone.com/reports/3751697 exploit

curl.se/docs/CVE-2026-10536.json (json)

curl.se/docs/CVE-2026-10536.html (www)

hackerone.com/reports/3751697 (issue)

cve.org (CVE-2026-10536)

nvd.nist.gov (CVE-2026-10536)

Download JSON