Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Unrated

libcurl HTTP/2 stream-dependency tree use-after-free

IdentifiersCVE-2026-10536CWE-416

CVE-2026-10536 is a low-severity use-after-free vulnerability in libcurl’s HTTP/2 stream-dependency handling. The flaw occurs when an application configures an HTTP/2 stream-dependency tree using CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, then calls curl_easy_reset(), and later destroys the easy handle with curl_easy_cleanup(). In the affected code path, reset frees internal dependency-related state, but cleanup later still accesses and modifies that already-freed structure, resulting in a use-after-free. The issue affects libcurl versions 7.88.0 through 8.20.0 inclusive. The curl command-line tool is not affected. The vulnerability was introduced by commit 71b7e0161032927cdfb and fixed by commit bfbff7852f050232edd3e5ca.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering causes libcurl to dereference or modify freed memory during handle cleanup. In practice, the advisory indicates this is typically observable as an assertion abort in debug builds or detection by memory-safety tooling such as Valgrind or AddressSanitizer. This can lead to process instability or crash in applications using the affected libcurl API sequence. The issue is rated Low severity, and the available information does not establish reliable attacker-controlled code execution.

Mitigation

If you can’t patch tonight, do this now.

Avoid using HTTP/2 stream dependency options CURLOPT_STREAM_DEPENDS and CURLOPT_STREAM_DEPENDS_E on affected libcurl versions. More specifically, avoid the vulnerable sequence of setting HTTP/2 stream dependencies, invoking curl_easy_reset(), and then calling curl_easy_cleanup() on the handle. Where feasible, use non-affected versions earlier than 7.88.0 or preferably 8.21.0 and later.

Remediation

Patch, then assume compromise.

Upgrade curl/libcurl to version 8.21.0 or later. The upstream fix removes support for HTTP/2 stream dependencies by making the feature a no-op, eliminating the vulnerable state-management path. If immediate upgrade is not possible, apply the upstream patch corresponding to commit bfbff7852f050232edd3e5ca and rebuild libcurl and dependent applications as appropriate.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
security affairsNews
Jun 25, 2026
Curl Fixes a 25-Year-Old Bug in Its Largest CVE Release Yet - Security Affairs

A use-after-free vulnerability in libcurl's HTTP/2 stream dependency handling where resetting and then cleaning up a handle using HTTP/2 dependency options could cause libcurl to access already-freed state.

Read more
cyber security newsNews
Jun 25, 2026
25-Year-Old Vulnerability in curl Used by 30 Billion Devices Finally Patched

A use-after-free vulnerability in curl/libcurl related to HTTP/2 stream dependency handling during reset and cleanup of dependency handles.

Read more
security weekNews
Jun 25, 2026
25-Year-Old Vulnerability Patched in Curl - SecurityWeek

A curl/libcurl use-after-free vulnerability.

Read more
daniel haxx seNews
Jun 24, 2026
curl 8.21.0 | daniel.haxx.se

A low-severity curl/libcurl use-after-free vulnerability in HTTP/2 stream dependency tree handling.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-10536
NVD
nvd.nist.gov/vuln/detail/CVE-2026-10536
MITRE CWE · CWE-416
cwe.mitre.org