HTTP/2 stream-dependency tree UAF ================================= Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-10536.html) VULNERABILITY ------------- A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already deallocated during the reset operation. INFO ---- To trigger this flaw, one of the extremely rarely used options for HTTP/2 dependencies needs to be used. HTTP/2 dependencies are generally considered deprecated. Using valgrind or an address sanitizer build trigger an error for this. Running a debug version of libcurl makes it abort on an assert. This bug is considered a *C mistake* (likely to have been avoided had we not been using C). This flaw does not affect the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-10536 to this issue. CWE-416: Use After Free Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.88.0 to and including 8.20.0 - Not affected versions: curl < 7.88.0 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/71b7e0161032927cdfb libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ libcurl drops support for HTTP/2 stream dependencies. Starting with this fix, it becomes a no-op. - Fixed-in: https://github.com/curl/curl/commit/bfbff7852f050232edd3e5ca RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.21.0 B - Apply the patch to your version and rebuild C - Avoid using HTTP/2 stream dependencies TIMELINE --------- This issue was reported to the curl project on May 20, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Joshua Rogers - Patched-by: Stefan Eissing Thanks a lot!