CVE-2026-10536
HTTP/2 stream-dependency tree UAF
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and finally terminates the handle with
curl_easy_cleanup(). During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
INFO
To trigger this flaw, one of the extremely rarely used options for HTTP/2 dependencies needs to be used. HTTP/2 dependencies are generally considered deprecated.
Using valgrind or an address sanitizer build trigger an error for this. Running a debug version of libcurl makes it abort on an assert.
This bug is considered a C mistake (likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-10536 to this issue.
CWE-416: Use After Free
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 7.88.0 to and including 8.20.0
- Not affected versions: curl < 7.88.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/71b7e0161032927cdfb
libcurl is used by many applications, but not always advertised as such!
SOLUTION
libcurl drops support for HTTP/2 stream dependencies. Starting with this fix, it becomes a no-op.
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Avoid using HTTP/2 stream dependencies
TIMELINE
This issue was reported to the curl project on May 20, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Joshua Rogers
- Patched-by: Stefan Eissing
Thanks a lot!