CVE-2026-10536

curl · libcurl

A use-after-free vulnerability in libcurl allows potential memory corruption via manipulated HTTP/2 stream dependency configurations during handle cleanup.

Executive summary

A use-after-free vulnerability in libcurl (CVE-2026-10536) presents a critical risk of memory corruption and potential arbitrary code execution.

Vulnerability

This is a use-after-free vulnerability triggered when an application utilizes specific HTTP/2 stream-dependency functions (CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E) followed by curl_easy_reset() and curl_easy_cleanup(). The vulnerability is unauthenticated, as it pertains to the library's internal memory management during standard handle lifecycle operations.

Business impact

While the curl project has assessed the real-world risk as low due to the reliance on deprecated and rarely used HTTP/2 features, the CVSS score of 9.8 indicates a critical technical severity. Successful exploitation could lead to application crashes, denial of service, or potentially remote code execution, threatening the integrity and availability of services relying on the libcurl library.

Remediation

Immediate Action: Upgrade to curl version 8.21.0 or later, which contains the necessary memory management fixes.

Proactive Monitoring: Audit applications to identify if they explicitly configure HTTP/2 stream dependencies, as these are the primary vectors for triggering the flaw.

Compensating Controls: If patching is not immediately feasible, restrict the use of deprecated HTTP/2 stream dependency options within application code to prevent the vulnerable code path from executing.

Exploitation status

Public Exploit Available: true

Analyst recommendation

Despite the vendor's low-severity rating, the technical nature of this use-after-free vulnerability and the existence of a public proof-of-concept warrant immediate remediation. Security teams should prioritize updating all instances of libcurl to version 8.21.0 to eliminate the risk of memory corruption, particularly in network-facing applications that process arbitrary HTTP/2 traffic.