{ "schema_version": "1.5.0", "id": "CURL-CVE-2026-10536", "aliases": [ "CVE-2026-10536" ], "summary": "HTTP/2 stream-dependency tree UAF", "modified": "2026-06-24T15:14:27.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2026-10536.json", "www": "https://curl.se/docs/CVE-2026-10536.html", "issue": "https://hackerone.com/reports/3751697", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "last_affected": "8.20.0", "severity": "Low" }, "published": "2026-06-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.88.0"}, {"fixed": "8.21.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "71b7e0161032927cdfb4e75ea40f65b8898b3956"}, {"fixed": "bfbff7852f050232edd3e5ca5c6bf2021c340f5a"} ] } ], "versions": [ "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0" ] } ], "credits": [ { "name": "Joshua Rogers (Aisle Research)", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "A use-after-free vulnerability exists in libcurl when an application\nconfigures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or\n`CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and\nfinally terminates the handle with `curl_easy_cleanup()`. During this final\ncleanup phase, libcurl attempts to access and modify an internal structure\nthat was already freed during the reset operation." }