Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3116 articles · 171957 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-10536
curl · libcurl

HTTP/2 stream-dependency tree UAF

Description

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

Affected Products

VendorProductVersions
curllibcurl8.20.0, 8.19.0, 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0, 8.7.1, 8.7.0, 8.6.0, 8.5.0, 8.4.0, 8.3.0, 8.2.1, 8.2.0, 8.1.2, 8.1.1, 8.1.0, 8.0.1, 8.0.0, 7.88.1, 7.88.0

References

  • https://curl.se/docs/CVE-2026-10536.json
  • https://curl.se/docs/CVE-2026-10536.html
  • https://hackerone.com/reports/3751697

Related News (3 articles)

Tier A
Microsoft MSRC2h ago
CVE-2026-10536 HTTP/2 stream-dependency tree UAF
→ No new info (linked only)
Tier C
VulDB4d ago
CVE-2026-10536 | curl libcURL up to 8.20.0 curl_easy_reset use after free
→ No new info (linked only)
Tier B
CERT-FR13d ago
Multiples vulnérabilités dans cURL et libcurl (24 juin 2026)
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited❌ No
PublishedJun 24, 2026
Last enriched12d ago
Tags
multiple vulnerabilitiescurllibcurlsecurity bulletin
Trending Score68
Source articles3
Independent3
Info Completeness5/14
Missing: versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-8926EXP
password leak with netrc and user in URL
Trending: 77
CRITICALCVE-2026-8924
trailing dot domain super cookie
Trending: 68
CRITICALCVE-2026-9080EXP
UAF after pause in socket callback
Trending: 61
HIGHCVE-2026-8286
wrong STARTTLS connection reuse
Trending: 59
HIGHCVE-2026-9545
exposing HTTP/3 early data
Trending: 56

Pin to Dashboard

Verification

State: verified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 24, 2026
Discovered by ZDM
Jun 24, 2026