CVE-2026-10536
EUVD-2026-4149703.07.2026, 07:16
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.Enginsight
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| curl | curl | 𝑥 ≤ 8.20.0 | CNA |
| curl | curl | 𝑥 ≤ 8.19.0 | CNA |
| curl | curl | 𝑥 ≤ 8.18.0 | CNA |
| curl | curl | 𝑥 ≤ 8.17.0 | CNA |
| curl | curl | 𝑥 ≤ 8.16.0 | CNA |
| curl | curl | 𝑥 ≤ 8.15.0 | CNA |
| curl | curl | 𝑥 ≤ 8.14.1 | CNA |
| curl | curl | 𝑥 ≤ 8.14.0 | CNA |
| curl | curl | 𝑥 ≤ 8.13.0 | CNA |
| curl | curl | 𝑥 ≤ 8.12.1 | CNA |
| curl | curl | 𝑥 ≤ 8.12.0 | CNA |
| curl | curl | 𝑥 ≤ 8.11.1 | CNA |
| curl | curl | 𝑥 ≤ 8.11.0 | CNA |
| curl | curl | 𝑥 ≤ 8.10.1 | CNA |
| curl | curl | 𝑥 ≤ 8.10.0 | CNA |
| curl | curl | 𝑥 ≤ 8.9.1 | CNA |
| curl | curl | 𝑥 ≤ 8.9.0 | CNA |
| curl | curl | 𝑥 ≤ 8.8.0 | CNA |
| curl | curl | 𝑥 ≤ 8.7.1 | CNA |
| curl | curl | 𝑥 ≤ 8.7.0 | CNA |
| curl | curl | 𝑥 ≤ 8.6.0 | CNA |
| curl | curl | 𝑥 ≤ 8.5.0 | CNA |
| curl | curl | 𝑥 ≤ 8.4.0 | CNA |
| curl | curl | 𝑥 ≤ 8.3.0 | CNA |
| curl | curl | 𝑥 ≤ 8.2.1 | CNA |
| curl | curl | 𝑥 ≤ 8.2.0 | CNA |
| curl | curl | 𝑥 ≤ 8.1.2 | CNA |
| curl | curl | 𝑥 ≤ 8.1.1 | CNA |
| curl | curl | 𝑥 ≤ 8.1.0 | CNA |
| curl | curl | 𝑥 ≤ 8.0.1 | CNA |
| curl | curl | 𝑥 ≤ 8.0.0 | CNA |
| curl | curl | 𝑥 ≤ 7.88.1 | CNA |
| curl | curl | 𝑥 ≤ 7.88.0 | CNA |
Debian Releases
Vulnerability Media Exposure