{"id":"CURL-CVE-2026-10536","summary":"HTTP/2 stream-dependency tree UAF","details":"A use-after-free vulnerability exists in libcurl when an application\nconfigures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or\n`CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and\nfinally terminates the handle with `curl_easy_cleanup()`. During this final\ncleanup phase, libcurl attempts to access and modify an internal structure\nthat was already freed during the reset operation.","aliases":["CVE-2026-10536"],"modified":"2026-06-24T14:03:22.586398Z","published":"2026-06-24T08:00:00Z","database_specific":{"severity":"Low","URL":"https://curl.se/docs/CVE-2026-10536.json","package":"curl","www":"https://curl.se/docs/CVE-2026-10536.html","last_affected":"8.20.0","issue":"https://hackerone.com/reports/3751697","affects":"lib","CWE":{"id":"CWE-416","desc":"Use After Free"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.88.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"71b7e0161032927cdfb4e75ea40f65b8898b3956"},{"fixed":"bfbff7852f050232edd3e5ca5c6bf2021c340f5a"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0","curl-8_14_1","curl-8_14_0","curl-8_13_0","curl-8_12_1","curl-8_12_0","curl-8_11_1","curl-8_11_0","curl-8_10_1","curl-8_10_0","curl-8_9_1","curl-8_9_0","curl-8_8_0","curl-8_7_1","curl-8_7_0","curl-8_6_0","curl-8_5_0","tiny-curl-8_4_0","curl-8_4_0","curl-8_3_0","curl-8_2_1","curl-8_2_0","curl-8_1_2","curl-8_1_1","curl-8_1_0","curl-8_0_1","curl-8_0_0","curl-7_88_1","curl-7_88_0"],"database_specific":{"vanir_signatures":[{"target":{"file":"lib/url.c","function":"Curl_data_priority_add_child"},"id":"CURL-CVE-2026-10536-14514e8e","digest":{"function_hash":"325591748247502139765116906838197485001","length":993},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Function","signature_version":"v1"},{"target":{"file":"lib/http2.c","function":"h2_submit"},"id":"CURL-CVE-2026-10536-1bf90be4","digest":{"function_hash":"87831613262470910666451525304698259747","length":2831},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Function","signature_version":"v1"},{"target":{"file":"lib/http2.c"},"id":"CURL-CVE-2026-10536-2fb7d221","digest":{"line_hashes":["179740344822557132477205589535273970948","144560871026884323450181138564494623717","204882655721011058057049538807842331699","1455460047968834287978239479175778072","1490732640454732907116637289880970046","114014372554932123565183379386484934125","185541922188537155788024795906919337863","330289793646865884098255092243167948786","66149405179017955136641220425685553077","185854038462968352759557229095044852086","207041260209157860813733680832555934279","142197738193577661751956875949105925088","115828944047234147652844090816145400105","7524935267637874359168781685910609614","254447233737700837895011540288413948265","112480572858777090115664566104574403679","119493499069313270274216766908981917096","147667258618763794060595730945973944369","90630199908342683083630079686493870805","237459096106254336309058200822235752246","280508806302936458720649866633657761168","340121777383320429415528511709887076663","97139547241635498672169431984087521588","174337998572592583361651599814334831284","39799232745176007837800011665779782832"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Line","signature_version":"v1"},{"target":{"file":"lib/url.c","function":"priority_remove_child"},"id":"CURL-CVE-2026-10536-3718af88","digest":{"function_hash":"87558793720639800114528217270758151961","length":464},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Function","signature_version":"v1"},{"target":{"file":"lib/url.c","function":"Curl_close"},"id":"CURL-CVE-2026-10536-594be367","digest":{"function_hash":"118120681145907829420491752814693140034","length":2316},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Function","signature_version":"v1"},{"target":{"file":"lib/setopt.c"},"id":"CURL-CVE-2026-10536-6af3f2de","digest":{"line_hashes":["204774438662693969462180358721110977509","210368120475869031973174214298496538617","239320355039389670362867346312850490920","164905850957278213970352178868838636634","117981131123122383365677675874457716374","103151973913611609613464396087339663971","152093723853522909474118699937774428427","100829238088034875443144110122692510117","112020567738605759346405383802710120601","113593526435299968225645408135303327756"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Line","signature_version":"v1"},{"target":{"file":"lib/http2.c","function":"h2_progress_egress"},"id":"CURL-CVE-2026-10536-6fa0506d","digest":{"function_hash":"180283354885813390135531088388193604925","length":1034},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Function","signature_version":"v1"},{"target":{"file":"lib/url.c","function":"data_priority_cleanup"},"id":"CURL-CVE-2026-10536-79f0edc8","digest":{"function_hash":"322155897078158963385116427270068634137","length":377},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Function","signature_version":"v1"},{"target":{"file":"lib/setopt.c","function":"setopt_pointers"},"id":"CURL-CVE-2026-10536-9fea0fe5","digest":{"function_hash":"45275289371479955685008725304032933557","length":1688},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Function","signature_version":"v1"},{"target":{"file":"lib/http2.c","function":"h2_pri_spec"},"id":"CURL-CVE-2026-10536-cc3f4f22","digest":{"function_hash":"43779894910740968712411216863513650789","length":324},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Function","signature_version":"v1"},{"target":{"file":"lib/urldata.h"},"id":"CURL-CVE-2026-10536-cf47ed83","digest":{"line_hashes":["87932860986884814151852475329556480392","310376703452775973475827753092815371010","254980810684120607057713706336332832613","30684991384048335329320084149436700443","211138522962085893480585580581739917128","330994985872463707165181382739466365250","301815053187344607022361999311662674116","125049247656625361408407831403267321361","237819660178544564806210620000778207630","321681818164970020685492367562297002349","97913460134044383659062886770015478990"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Line","signature_version":"v1"},{"target":{"file":"lib/url.c"},"id":"CURL-CVE-2026-10536-e85cf31e","digest":{"line_hashes":["121657195252562083107274964558116153863","241006146921228803927211866720891696125","43507677381671572267370869598184691438","77303437247477042094799343444108399484","56329779882032470773130321227570486636","239974978190442056510807870182254979377","163702470078894678973121745572320980980","53942430689773782652075807604031082432","54169951522237415263569574546666415277","42132032583831010542382730739912278520","292708668809134668266228877764448500214","299683974896647572718938281955692219987","307027988626369522668345388728894238297","60217820632151489937153450101704330361","102352815572265007903745813161573047836","41909304453430224011803391103102128461","126801658550812237374762515941070852373","217732031296137881556735884439251668331","238551529087098022578487398592150375797","154889623968042970384181185009730147438","34936636501046028066244001967976157906","37150033389146849204100654154351193268","51506187600083032599128658568203100596","83439931673456999336900165376790794895","208955007477129888308002567718365516153","221045906480102981964668202733260404956","161297589092161904507505244545905243949","326186565029078322248072162616254478618","173848784996076374377975787792304478233","129446780148310028723742858452587567866","27585552137182679952745437105763429804","78692898266263402673694006092536932632","214249937502580025173652791715295418565","181623142749924068937063078296118269185","1315455430661437477586673452828202794","94578844311078667447912984981415554292","244350642060685325240683429519592061028","90589836615916636654322816941873985710","170638156085434584714366809290387688196","113964878296194885362552629512030066666","231494354336907137764382675762769604377","232186240141793459941921905758413063028","272371171236895772762677779738742153408","286305808171243323001489219417732366412","184263696216739443441760993790488213645","281441551511532446742680436362256346402","260381938271535928577245743419717916836","187739624348471337222612492317273862389","195997417700407301212229621772881250771","12888296393921887711330130123175329350","260523557151420616596266806022553592045","69461977820530466403212979232404556523","129444698684131949452002597332857307588","98474404717701284073542155681959961251","312466363922201892660143210413260457727","142337278913900065279362164413567489208","85022423228989411440631211025799146888","301277405361913777396029537259818482330","35794274260527763173094795613731827443","75526023064955070950086268450589926776","214596115933766602202012288046512194231","300835834772728110317327059268131310164","262279293780664606065259620383277118528","139701258223030854226967763729958885009","133495539987373490655026982334138654909","210000970815892466430331891284298361763","283960331107630397345062401924484200329","25313951828002797198916721153733661660","172611835381895434136217038124892628359","261806567162411201384763442304488291201","243103402238195474429177881062790918439","31649221404857212519989615511421610556","234168265099403613042332721363826527968","162012353447295491677227039340543456614","211287401317715519707138512136839466630","172176483292980832050778056929760803203","171323258531435993617844365235364255919","65566630025470632301993753380942270394","25839668882570418480052716225526684282","264350922173158317538465308423119722826","143671312866038000131603391293701186861","261390875323393009211201433506449223933","197963449619881185320546212147030193060","317015920772794069813221853419219570999","336616973220496070882951547138334549356","124733574722734605325430084243210581595"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Line","signature_version":"v1"},{"target":{"file":"include/curl/curl.h"},"id":"CURL-CVE-2026-10536-eec2365a","digest":{"line_hashes":["262636209330276216109673268244671424138","338612097763577275990156120870784978608","54491808369019594025845746550340445025","207024777169793900677977663127470729098","21660626018961525683831255931653703475"],"threshold":0.9},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a","signature_type":"Line","signature_version":"v1"}],"vanir_signatures_modified":"2026-06-24T14:03:22Z","source":"https://curl.se/docs/CURL-CVE-2026-10536.json"}}],"schema_version":"1.7.5","credits":[{"name":"Joshua Rogers (Aisle Research)","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}