CURL-CVE-2026-10536
- Source
- https://curl.se/docs/CVE-2026-10536.html
- Import Source
- https://curl.se/docs/CURL-CVE-2026-10536.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2026-10536
- Aliases
-
- CVE-2026-10536
- Published
- 2026-06-24T08:00:00Z
- Modified
- 2026-06-24T14:03:22.586398Z
- Summary
- HTTP/2 stream-dependency tree UAF
- Details
-
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via
CURLOPT_STREAM_DEPENDSorCURLOPT_STREAM_DEPENDS_E, subsequently invokescurl_easy_reset(), and finally terminates the handle withcurl_easy_cleanup(). During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation. - Database specific
{ "package": "curl", "URL": "https://curl.se/docs/CVE-2026-10536.json", "last_affected": "8.20.0", "issue": "https://hackerone.com/reports/3751697", "affects": "lib", "severity": "Low", "www": "https://curl.se/docs/CVE-2026-10536.html", "CWE": { "desc": "Use After Free", "id": "CWE-416" } }- References
-
- Credits
-
-
- Joshua Rogers (Aisle Research) - FINDER
-
- Stefan Eissing - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.88.0Fixed8.21.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.88.0
7.88.1
8.*
8.0.0
8.0.1
8.1.0
8.1.1
8.1.2
8.10.0
8.10.1
8.11.0
8.11.1
8.12.0
8.12.1
8.13.0
8.14.0
8.14.1
8.15.0
8.16.0
8.17.0
8.18.0
8.19.0
8.2.0
8.2.1
8.20.0
8.3.0
8.4.0
8.5.0
8.6.0
8.7.0
8.7.1
8.8.0
8.9.0
8.9.1
Other
curl-7_88_0
curl-7_88_1
curl-8_0_0
curl-8_0_1
curl-8_10_0
curl-8_10_1
curl-8_11_0
curl-8_11_1
curl-8_12_0
curl-8_12_1
curl-8_13_0
curl-8_14_0
curl-8_14_1
curl-8_15_0
curl-8_16_0
curl-8_17_0
curl-8_18_0
curl-8_19_0
curl-8_1_0
curl-8_1_1
curl-8_1_2
curl-8_20_0
curl-8_2_0
curl-8_2_1
curl-8_3_0
curl-8_4_0
curl-8_5_0
curl-8_6_0
curl-8_7_0
curl-8_7_1
curl-8_8_0
curl-8_9_0
curl-8_9_1
rc-8_18_0-1
rc-8_18_0-2
rc-8_18_0-3
rc-8_19_0-1
rc-8_19_0-2
rc-8_19_0-3
rc-8_20_0-1
rc-8_20_0-2
rc-8_20_0-3
tiny-curl-8_4_0
Database specific
source
"https://curl.se/docs/CURL-CVE-2026-10536.json"
vanir_signatures_modified
"2026-06-24T14:03:22Z"
vanir_signatures
[
{
"target": {
"file": "lib/url.c",
"function": "Curl_data_priority_add_child"
},
"id": "CURL-CVE-2026-10536-14514e8e",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 993.0,
"function_hash": "325591748247502139765116906838197485001"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/http2.c",
"function": "h2_submit"
},
"id": "CURL-CVE-2026-10536-1bf90be4",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2831.0,
"function_hash": "87831613262470910666451525304698259747"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/http2.c"
},
"id": "CURL-CVE-2026-10536-2fb7d221",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"179740344822557132477205589535273970948",
"144560871026884323450181138564494623717",
"204882655721011058057049538807842331699",
"1455460047968834287978239479175778072",
"1490732640454732907116637289880970046",
"114014372554932123565183379386484934125",
"185541922188537155788024795906919337863",
"330289793646865884098255092243167948786",
"66149405179017955136641220425685553077",
"185854038462968352759557229095044852086",
"207041260209157860813733680832555934279",
"142197738193577661751956875949105925088",
"115828944047234147652844090816145400105",
"7524935267637874359168781685910609614",
"254447233737700837895011540288413948265",
"112480572858777090115664566104574403679",
"119493499069313270274216766908981917096",
"147667258618763794060595730945973944369",
"90630199908342683083630079686493870805",
"237459096106254336309058200822235752246",
"280508806302936458720649866633657761168",
"340121777383320429415528511709887076663",
"97139547241635498672169431984087521588",
"174337998572592583361651599814334831284",
"39799232745176007837800011665779782832"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c",
"function": "priority_remove_child"
},
"id": "CURL-CVE-2026-10536-3718af88",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 464.0,
"function_hash": "87558793720639800114528217270758151961"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c",
"function": "Curl_close"
},
"id": "CURL-CVE-2026-10536-594be367",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2316.0,
"function_hash": "118120681145907829420491752814693140034"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/setopt.c"
},
"id": "CURL-CVE-2026-10536-6af3f2de",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"204774438662693969462180358721110977509",
"210368120475869031973174214298496538617",
"239320355039389670362867346312850490920",
"164905850957278213970352178868838636634",
"117981131123122383365677675874457716374",
"103151973913611609613464396087339663971",
"152093723853522909474118699937774428427",
"100829238088034875443144110122692510117",
"112020567738605759346405383802710120601",
"113593526435299968225645408135303327756"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/http2.c",
"function": "h2_progress_egress"
},
"id": "CURL-CVE-2026-10536-6fa0506d",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1034.0,
"function_hash": "180283354885813390135531088388193604925"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c",
"function": "data_priority_cleanup"
},
"id": "CURL-CVE-2026-10536-79f0edc8",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 377.0,
"function_hash": "322155897078158963385116427270068634137"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/setopt.c",
"function": "setopt_pointers"
},
"id": "CURL-CVE-2026-10536-9fea0fe5",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1688.0,
"function_hash": "45275289371479955685008725304032933557"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/http2.c",
"function": "h2_pri_spec"
},
"id": "CURL-CVE-2026-10536-cc3f4f22",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 324.0,
"function_hash": "43779894910740968712411216863513650789"
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/urldata.h"
},
"id": "CURL-CVE-2026-10536-cf47ed83",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"87932860986884814151852475329556480392",
"310376703452775973475827753092815371010",
"254980810684120607057713706336332832613",
"30684991384048335329320084149436700443",
"211138522962085893480585580581739917128",
"330994985872463707165181382739466365250",
"301815053187344607022361999311662674116",
"125049247656625361408407831403267321361",
"237819660178544564806210620000778207630",
"321681818164970020685492367562297002349",
"97913460134044383659062886770015478990"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "lib/url.c"
},
"id": "CURL-CVE-2026-10536-e85cf31e",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"121657195252562083107274964558116153863",
"241006146921228803927211866720891696125",
"43507677381671572267370869598184691438",
"77303437247477042094799343444108399484",
"56329779882032470773130321227570486636",
"239974978190442056510807870182254979377",
"163702470078894678973121745572320980980",
"53942430689773782652075807604031082432",
"54169951522237415263569574546666415277",
"42132032583831010542382730739912278520",
"292708668809134668266228877764448500214",
"299683974896647572718938281955692219987",
"307027988626369522668345388728894238297",
"60217820632151489937153450101704330361",
"102352815572265007903745813161573047836",
"41909304453430224011803391103102128461",
"126801658550812237374762515941070852373",
"217732031296137881556735884439251668331",
"238551529087098022578487398592150375797",
"154889623968042970384181185009730147438",
"34936636501046028066244001967976157906",
"37150033389146849204100654154351193268",
"51506187600083032599128658568203100596",
"83439931673456999336900165376790794895",
"208955007477129888308002567718365516153",
"221045906480102981964668202733260404956",
"161297589092161904507505244545905243949",
"326186565029078322248072162616254478618",
"173848784996076374377975787792304478233",
"129446780148310028723742858452587567866",
"27585552137182679952745437105763429804",
"78692898266263402673694006092536932632",
"214249937502580025173652791715295418565",
"181623142749924068937063078296118269185",
"1315455430661437477586673452828202794",
"94578844311078667447912984981415554292",
"244350642060685325240683429519592061028",
"90589836615916636654322816941873985710",
"170638156085434584714366809290387688196",
"113964878296194885362552629512030066666",
"231494354336907137764382675762769604377",
"232186240141793459941921905758413063028",
"272371171236895772762677779738742153408",
"286305808171243323001489219417732366412",
"184263696216739443441760993790488213645",
"281441551511532446742680436362256346402",
"260381938271535928577245743419717916836",
"187739624348471337222612492317273862389",
"195997417700407301212229621772881250771",
"12888296393921887711330130123175329350",
"260523557151420616596266806022553592045",
"69461977820530466403212979232404556523",
"129444698684131949452002597332857307588",
"98474404717701284073542155681959961251",
"312466363922201892660143210413260457727",
"142337278913900065279362164413567489208",
"85022423228989411440631211025799146888",
"301277405361913777396029537259818482330",
"35794274260527763173094795613731827443",
"75526023064955070950086268450589926776",
"214596115933766602202012288046512194231",
"300835834772728110317327059268131310164",
"262279293780664606065259620383277118528",
"139701258223030854226967763729958885009",
"133495539987373490655026982334138654909",
"210000970815892466430331891284298361763",
"283960331107630397345062401924484200329",
"25313951828002797198916721153733661660",
"172611835381895434136217038124892628359",
"261806567162411201384763442304488291201",
"243103402238195474429177881062790918439",
"31649221404857212519989615511421610556",
"234168265099403613042332721363826527968",
"162012353447295491677227039340543456614",
"211287401317715519707138512136839466630",
"172176483292980832050778056929760803203",
"171323258531435993617844365235364255919",
"65566630025470632301993753380942270394",
"25839668882570418480052716225526684282",
"264350922173158317538465308423119722826",
"143671312866038000131603391293701186861",
"261390875323393009211201433506449223933",
"197963449619881185320546212147030193060",
"317015920772794069813221853419219570999",
"336616973220496070882951547138334549356",
"124733574722734605325430084243210581595"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "include/curl/curl.h"
},
"id": "CURL-CVE-2026-10536-eec2365a",
"source": "https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"262636209330276216109673268244671424138",
"338612097763577275990156120870784978608",
"54491808369019594025845746550340445025",
"207024777169793900677977663127470729098",
"21660626018961525683831255931653703475"
]
},
"signature_version": "v1"
}
]