CURL-CVE-2026-9080

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-9080.html

Import Source

https://curl.se/docs/CURL-CVE-2026-9080.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-9080

Aliases

CVE-2026-9080

Published

2026-06-24T08:00:00Z

Modified

2026-06-24T14:03:22.834824Z

Summary

UAF after pause in socket callback

Details

Calling curl_easy_pause() within the event-based CURLMOPT_SOCKETFUNCTION callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.

Database specific

{
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2026-9080.json",
    "last_affected": "8.20.0",
    "issue": "https://hackerone.com/reports/3749204",
    "affects": "lib",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2026-9080.html",
    "CWE": {
        "desc": "Use After Free",
        "id": "CWE-416"
    }
}

References

Credits

- Joshua Rogers (Aisle Research) - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.13.0

Fixed

8.21.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

cfc657a48dbafb4194676d4c9d841388b3a22210

Fixed

5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd

Affected versions

8.*

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.19.0

8.20.0

Other

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_18_0

curl-8_19_0

curl-8_20_0

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

Database specific

source

"https://curl.se/docs/CURL-CVE-2026-9080.json"

vanir_signatures_modified

"2026-06-24T14:03:22Z"

vanir_signatures

[
    {
        "target": {
            "file": "lib/multi_ev.c"
        },
        "id": "CURL-CVE-2026-9080-1abdb19c",
        "source": "https://github.com/curl/curl.git/commit/5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "220040427109472297309562541428928847642",
                "308855277422324938176053082237711811750",
                "178305073432534490353168540974467663434",
                "262037310467268598251196274478854355864",
                "72645878512162809117703943282104454785",
                "150155346539341738985717193742186326803",
                "9123612111941668276180863835095619081",
                "301888243040055537691928168051125981779",
                "301505997990128983717519754450372161073",
                "27605904909765312892421707670660342068",
                "75025888627355669353279574105032378085",
                "112586131146354865156433696110601588682",
                "301683011683602488588681883586215131125",
                "135831584371850663902836576918444660063",
                "165143934271465645979937287121264207371",
                "63036884935075250322292931351360935384",
                "281761623130760418401278134963650482245",
                "334438526425362393694661592428935145092",
                "71627468909094308866243209562961856656",
                "207979412446850192441035037332161673948",
                "146540915811743433728482277187406869253",
                "164521669155660244038275882821321397035",
                "89872451377525975046754161517405893063",
                "50420258852794273486101183696478445957",
                "117736554385853469439693077128433448226",
                "189577098526962848779675452261752016756",
                "336427681772782339615290278420759722535"
            ]
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/multi_ev.c",
            "function": "mev_sh_entry_dtor"
        },
        "id": "CURL-CVE-2026-9080-2e96704c",
        "source": "https://github.com/curl/curl.git/commit/5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 126.0,
            "function_hash": "280574953934088564907154989833699017122"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/multi_ev.c",
            "function": "mev_sh_entry_add"
        },
        "id": "CURL-CVE-2026-9080-9aa5b0e9",
        "source": "https://github.com/curl/curl.git/commit/5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 368.0,
            "function_hash": "196260475389111518429022609235592410953"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/multi_ev.c",
            "function": "mev_sh_entry_update"
        },
        "id": "CURL-CVE-2026-9080-df7e481c",
        "source": "https://github.com/curl/curl.git/commit/5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1730.0,
            "function_hash": "107954024898540431709457204779080753955"
        },
        "signature_version": "v1"
    }
]