{"id":"CURL-CVE-2026-9080","summary":"UAF after pause in socket callback","details":"Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION`\ncallback triggers a use-after-free vulnerability, where libcurl attempts to\nstore a flag using a dangling struct pointer immediately after that pointer's\nmemory has been freed.","aliases":["CVE-2026-9080"],"modified":"2026-06-24T14:03:22.834824Z","published":"2026-06-24T08:00:00Z","database_specific":{"URL":"https://curl.se/docs/CVE-2026-9080.json","affects":"lib","last_affected":"8.20.0","www":"https://curl.se/docs/CVE-2026-9080.html","issue":"https://hackerone.com/reports/3749204","CWE":{"id":"CWE-416","desc":"Use After Free"},"severity":"Low","package":"curl"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.13.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"cfc657a48dbafb4194676d4c9d841388b3a22210"},{"fixed":"5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0","curl-8_14_1","curl-8_14_0","curl-8_13_0"],"database_specific":{"vanir_signatures_modified":"2026-06-24T14:03:22Z","vanir_signatures":[{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["220040427109472297309562541428928847642","308855277422324938176053082237711811750","178305073432534490353168540974467663434","262037310467268598251196274478854355864","72645878512162809117703943282104454785","150155346539341738985717193742186326803","9123612111941668276180863835095619081","301888243040055537691928168051125981779","301505997990128983717519754450372161073","27605904909765312892421707670660342068","75025888627355669353279574105032378085","112586131146354865156433696110601588682","301683011683602488588681883586215131125","135831584371850663902836576918444660063","165143934271465645979937287121264207371","63036884935075250322292931351360935384","281761623130760418401278134963650482245","334438526425362393694661592428935145092","71627468909094308866243209562961856656","207979412446850192441035037332161673948","146540915811743433728482277187406869253","164521669155660244038275882821321397035","89872451377525975046754161517405893063","50420258852794273486101183696478445957","117736554385853469439693077128433448226","189577098526962848779675452261752016756","336427681772782339615290278420759722535"],"threshold":0.9},"id":"CURL-CVE-2026-9080-1abdb19c","source":"https://github.com/curl/curl.git/commit/5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd","signature_type":"Line","target":{"file":"lib/multi_ev.c"}},{"signature_version":"v1","deprecated":false,"digest":{"length":126,"function_hash":"280574953934088564907154989833699017122"},"id":"CURL-CVE-2026-9080-2e96704c","source":"https://github.com/curl/curl.git/commit/5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd","signature_type":"Function","target":{"function":"mev_sh_entry_dtor","file":"lib/multi_ev.c"}},{"signature_version":"v1","deprecated":false,"digest":{"length":368,"function_hash":"196260475389111518429022609235592410953"},"id":"CURL-CVE-2026-9080-9aa5b0e9","source":"https://github.com/curl/curl.git/commit/5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd","signature_type":"Function","target":{"function":"mev_sh_entry_add","file":"lib/multi_ev.c"}},{"signature_version":"v1","deprecated":false,"digest":{"length":1730,"function_hash":"107954024898540431709457204779080753955"},"id":"CURL-CVE-2026-9080-df7e481c","source":"https://github.com/curl/curl.git/commit/5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd","signature_type":"Function","target":{"function":"mev_sh_entry_update","file":"lib/multi_ev.c"}}],"source":"https://curl.se/docs/CURL-CVE-2026-9080.json"}}],"schema_version":"1.7.5","credits":[{"name":"Joshua Rogers (Aisle Research)","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}