A use-after-free vulnerability exists in libcurl when an application
configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or
`CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and
finally terminates the handle with `curl_easy_cleanup()`. During this final
cleanup phase, libcurl attempts to access and modify an internal structure
that was already freed during the reset operation.
References
| Link | Resource |
|---|---|
| https://curl.se/docs/CVE-2026-10536.html | Patch Vendor Advisory |
| https://curl.se/docs/CVE-2026-10536.json | Vendor Advisory |
| https://hackerone.com/reports/3751697 | Exploit Issue Tracking Third Party Advisory |
| https://hackerone.com/reports/3751697 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
07 Jul 2026, 18:02
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://curl.se/docs/CVE-2026-10536.html - Patch, Vendor Advisory | |
| References | () https://curl.se/docs/CVE-2026-10536.json - Vendor Advisory | |
| References | () https://hackerone.com/reports/3751697 - Exploit, Issue Tracking, Third Party Advisory | |
| CPE | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | |
| First Time |
Haxx curl
Haxx |
|
| CWE | CWE-416 |
06 Jul 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| References | () https://hackerone.com/reports/3751697 - |
03 Jul 2026, 07:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-03 07:16
Updated : 2026-07-07 18:02
NVD link : CVE-2026-10536
Mitre link : CVE-2026-10536
CVE.ORG link : CVE-2026-10536
JSON object : View
Products Affected
haxx
- curl
CWE
CWE-416
Use After Free
