PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10536 curl CVE debrief

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation. This vulnerability could potentially lead to crashes or code execution. Affected product deployments should be confirmed to exist in managed environments, and an owner should be assigned for follow-up.

Vendor
curl
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Users of libcurl in applications that configure HTTP/2 stream-dependency trees and utilize `curl_easy_reset()` and `curl_easy_cleanup()` should assess the impact of this vulnerability on their systems. Affected operators, platforms, vulnerability-management, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The vulnerability arises from a use-after-free error in libcurl's handling of HTTP/2 stream dependencies when `curl_easy_reset()` and `curl_easy_cleanup()` are used in sequence. This could potentially lead to crashes or code execution. The vulnerability is triggered when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation. Affected product context includes libcurl in applications that configure HTTP/2 stream-dependency trees and utilize `curl_easy_reset()` and `curl_easy_cleanup()`.

Defensive priority

High

Recommended defensive actions

  • Apply patches or updates provided by the vendor
  • Review and adjust application code to avoid the vulnerable conditions
  • Monitor systems for potential exploitation attempts
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Vendor advisory and patch information are available. Affected product deployments should be confirmed to exist in managed environments, and an owner should be assigned for follow-up. The vulnerability arises from a use-after-free error in libcurl's handling of HTTP/2 stream dependencies when `curl_easy_reset()` and `curl_easy_cleanup()` are used in sequence. This could potentially lead to crashes or code execution. Users of libcurl in applications that configure HTTP/2 stream-dependency trees and utilize `curl_easy_reset()` and `curl_easy_cleanup()` should assess the impact of this vulnerability on their systems.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T07:16:23.563Z and has not been modified since then.