Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-10536

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

View on NVD

Analysis

A critical use-after-free vulnerability has been discovered in libcurl (curl) affecting HTTP/2 stream-dependency handling. If your application uses curl_easy_reset in conjunction with stream dependencies, it could trigger memory corruption during cleanup. Given libcurl's role as core infrastructure for most software stacks, developers should verify and update their versions.

Relevant roles

BackendLinuxCC++CyberSecurityCloud

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH

EPSS

Probability of exploitation (next 30 days): 0.0021 (0.2%)
Percentile: 10.8%
EPSS: 2026-07-06

Technical description

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

Published: 7/3/2026, 7:16:23 AM
Last modified: 7/6/2026, 7:16:54 PM

References

HomeEventsBlogResourcesTeam