CVE-2026-10536

Discovered by AISLEPUBLISHEDCWE-416 Use After Free

Description

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

Affected Products

VendorProductVersionStatus
curlcurl8.20.0affected
curlcurl8.19.0
curlcurl8.18.0
curlcurl8.17.0
curlcurl8.16.0
curlcurl8.15.0
curlcurl8.14.1
curlcurl8.14.0
curlcurl8.13.0
curlcurl8.12.1
curlcurl8.12.0
curlcurl8.11.1
curlcurl8.11.0
curlcurl8.10.1
curlcurl8.10.0
curlcurl8.9.1
curlcurl8.9.0
curlcurl8.8.0
curlcurl8.7.1
curlcurl8.7.0
curlcurl8.6.0
curlcurl8.5.0
curlcurl8.4.0
curlcurl8.3.0
curlcurl8.2.1
curlcurl8.2.0
curlcurl8.1.2
curlcurl8.1.1
curlcurl8.1.0
curlcurl8.0.1
curlcurl8.0.0
curlcurl7.88.1
curlcurl7.88.0

Credits

  • Joshua Rogers (Aisle Research)(finder)
  • Stefan Eissing(remediation developer)

References