PatchSiren cyber security CVE debrief
CVE-2026-10536 curl CVE debrief
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation. This vulnerability could potentially lead to crashes or code execution. Affected product deployments should be confirmed to exist in managed environments, and an owner should be assigned for follow-up.
- Vendor
- curl
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Users of libcurl in applications that configure HTTP/2 stream-dependency trees and utilize `curl_easy_reset()` and `curl_easy_cleanup()` should assess the impact of this vulnerability on their systems. Affected operators, platforms, vulnerability-management, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The vulnerability arises from a use-after-free error in libcurl's handling of HTTP/2 stream dependencies when `curl_easy_reset()` and `curl_easy_cleanup()` are used in sequence. This could potentially lead to crashes or code execution. The vulnerability is triggered when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation. Affected product context includes libcurl in applications that configure HTTP/2 stream-dependency trees and utilize `curl_easy_reset()` and `curl_easy_cleanup()`.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor
- Review and adjust application code to avoid the vulnerable conditions
- Monitor systems for potential exploitation attempts
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. Vendor advisory and patch information are available. Affected product deployments should be confirmed to exist in managed environments, and an owner should be assigned for follow-up. The vulnerability arises from a use-after-free error in libcurl's handling of HTTP/2 stream dependencies when `curl_easy_reset()` and `curl_easy_cleanup()` are used in sequence. This could potentially lead to crashes or code execution. Users of libcurl in applications that configure HTTP/2 stream-dependency trees and utilize `curl_easy_reset()` and `curl_easy_cleanup()` should assess the impact of this vulnerability on their systems.
Official resources
-
CVE-2026-10536 CVE record
CVE.org
-
CVE-2026-10536 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Patch, Vendor Advisory
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Vendor Advisory
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Exploit, Issue Tracking, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T07:16:23.563Z and has not been modified since then.