UAF after pause in socket callback
==================================

Project curl Security Advisory, June 24 2026
[Permalink](https://curl.se/docs/CVE-2026-9080.html)

VULNERABILITY
-------------

Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION`
callback triggers a use-after-free vulnerability, where libcurl attempts to
store a flag using a dangling struct pointer immediately after that pointer's
memory has been freed.

INFO
----

This bug is considered a *C mistake* (likely to have been avoided had we not
been using C).

This flaw does not affect the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-9080 to this issue.

CWE-416: Use After Free

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.13.0 to and including 8.20.0
- Not affected versions: curl < 8.13.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/cfc657a48d

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/5ab34cba42e4ee4282fe

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl and libcurl to version 8.21.0

 B - Apply the patch to your version and rebuild

 C - Avoid pausing within the socket callback

TIMELINE
---------

This issue was reported to the curl project on May 19, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: Joshua Rogers
- Patched-by: Joshua Rogers
- Patched-by: Daniel Stenberg

Thanks a lot!