CVE-2026-10536
Received Received - Intake

Use-After-Free in libcurl HTTP/2 Stream Dependency Handling

Vulnerability report for CVE-2026-10536, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
curl libcurl From 7.88.0 (inc) to 8.20.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10536 is a use-after-free vulnerability in libcurl affecting versions 7.88.0 through 8.20.0.

The issue occurs when an application configures an HTTP/2 stream-dependency tree using the options CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, then calls curl_easy_reset(), and finally calls curl_easy_cleanup().

During the cleanup phase, libcurl attempts to access and modify an internal data structure that was already freed during the reset operation, leading to undefined behavior.

This vulnerability is classified as CWE-416 (Use After Free) and has a severity rating of Low.

Impact Analysis

This vulnerability can cause libcurl to access freed memory during cleanup, which may lead to undefined behavior such as crashes or memory corruption.

Because it involves a use-after-free condition, it could potentially be exploited to cause denial of service or other unexpected behavior in applications using the affected libcurl versions.

However, the vulnerability requires the use of rarely used and generally deprecated HTTP/2 stream dependency options, which limits its exposure.

The curl command line tool is not affected by this issue.

Users are advised to upgrade to libcurl version 8.21.0 or later, apply patches, or avoid using HTTP/2 stream dependencies to mitigate this vulnerability.

Detection Guidance

This vulnerability can be detected using memory debugging tools such as valgrind or address sanitizers, which can identify use-after-free errors during runtime.

In debug builds of libcurl, the program will abort due to an assert when this issue occurs, which can also help in detection.

Since this vulnerability involves specific libcurl API usage (setting HTTP/2 stream dependencies and calling curl_easy_reset() followed by curl_easy_cleanup()), monitoring or auditing applications that use these options may help identify potential triggers.

Mitigation Strategies

The primary mitigation is to upgrade libcurl to version 8.21.0 or later, where the vulnerability has been fixed by removing support for HTTP/2 stream dependencies.

Alternatively, apply the official patch provided for this vulnerability if upgrading is not immediately possible.

As a temporary workaround, avoid using the HTTP/2 stream dependency options CURLOPT_STREAM_DEPENDS and CURLOPT_STREAM_DEPENDS_E in your applications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart