CVE Catalog

CVE-2026-10536

Unknown
Published: Translated: NVD NIST

Summary

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and finally terminates the handle with curl_easy_cleanup(). During the final cleanup, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

Risk Assessment

This vulnerability can cause application crashes or potentially allow an attacker to execute arbitrary code, posing a serious risk to the stability and security of systems using libcurl.

Recommendation

Immediately update libcurl to a patched version and avoid using curl_easy_reset() after configuring HTTP/2 stream dependencies without reconfiguring them.

Original NVD description (English source)

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS