CVE-2026-9080
Received Received - Intake

Use-After-Free in libcurl During Event-Based Socket Callback

Vulnerability report for CVE-2026-9080, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
curl libcurl From 8.13.0 (inc) to 8.20.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9080 is a use-after-free vulnerability in libcurl that occurs when the function curl_easy_pause() is called within the event-based CURLMOPT_SOCKETFUNCTION callback.

The problem arises because libcurl tries to store a flag using a struct pointer that has already been freed, leading to a dangling pointer reference.

This is a programming error in C where memory is accessed after it has been released, which can cause undefined behavior or memory corruption.

The vulnerability affects libcurl versions 8.13.0 through 8.20.0 and was fixed in version 8.21.0.

Impact Analysis

This vulnerability can lead to memory corruption due to the use of a dangling pointer after the memory has been freed.

While the severity is rated as low, exploitation could cause instability or crashes in applications using affected libcurl versions.

It does not affect the curl command line tool but impacts programs that use libcurl's event-based socket callback with curl_easy_pause().

Users are advised to upgrade to libcurl version 8.21.0 or later, apply the patch, or avoid calling curl_easy_pause() within the socket callback to mitigate the issue.

Detection Guidance

This vulnerability is a use-after-free issue triggered by calling curl_easy_pause() within the CURLMOPT_SOCKETFUNCTION callback in libcurl. It does not affect the curl command line tool directly.

There are no specific detection commands or network/system scanning methods provided in the available resources for identifying this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade libcurl to version 8.21.0 or later, where the issue has been fixed.

Alternatively, users can apply the patch provided for this issue or avoid calling curl_easy_pause() within the CURLMOPT_SOCKETFUNCTION callback in event-based contexts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart