CVE-2026-10536

CRITICAL

curl - HTTP/2 Stream-Dependency Tree UAF

Title source: rule
STIX 2.1

Description

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

Scores

CVSS v3 9.8
EPSS 0.0089
EPSS Percentile 55.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-416
Status published
Products (34)
curl/curl 7.88.0
curl/curl 7.88.1
curl/curl 8.0.0
curl/curl 8.0.1
curl/curl 8.1.0
curl/curl 8.1.1
curl/curl 8.1.2
curl/curl 8.10.0
curl/curl 8.10.1
curl/curl 8.11.0
... and 24 more
Published Jul 03, 2026
Tracked Since Jul 03, 2026