CVE-2026-10536
curl · libcurl
A use-after-free vulnerability in libcurl allows potential memory corruption via manipulated HTTP/2 stream dependency configurations during handle cleanup.
Executive summary
A use-after-free vulnerability in libcurl (CVE-2026-10536) presents a critical risk of memory corruption and potential arbitrary code execution.
Vulnerability
This is a use-after-free vulnerability triggered when an application utilizes specific HTTP/2 stream-dependency functions (CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E) followed by curl_easy_reset() and curl_easy_cleanup(). The vulnerability is unauthenticated, as it pertains to the library's internal memory management during standard handle lifecycle operations.
Business impact
While the curl project has assessed the real-world risk as low due to the reliance on deprecated and rarely used HTTP/2 features, the CVSS score of 9.8 indicates a critical technical severity. Successful exploitation could lead to application crashes, denial of service, or potentially remote code execution, threatening the integrity and availability of services relying on the libcurl library.
Remediation
Immediate Action: Upgrade to curl version 8.21.0 or later, which contains the necessary memory management fixes.
Proactive Monitoring: Audit applications to identify if they explicitly configure HTTP/2 stream dependencies, as these are the primary vectors for triggering the flaw.
Compensating Controls: If patching is not immediately feasible, restrict the use of deprecated HTTP/2 stream dependency options within application code to prevent the vulnerable code path from executing.
Exploitation status
Public Exploit Available: true
Analyst recommendation
Despite the vendor's low-severity rating, the technical nature of this use-after-free vulnerability and the existence of a public proof-of-concept warrant immediate remediation. Security teams should prioritize updating all instances of libcurl to version 8.21.0 to eliminate the risk of memory corruption, particularly in network-facing applications that process arbitrary HTTP/2 traffic.