CVE-2026-10536

EUVD-2026-41497
A use-after-free vulnerability exists in libcurl when an application
configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or
`CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and
finally terminates the handle with `curl_easy_cleanup()`. During this final
cleanup phase, libcurl attempts to access and modify an internal structure
that was already freed during the reset operation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
curlCNA
UNKNOWN
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
curlcurl
𝑥
≤ 8.20.0
CNA
curlcurl
𝑥
≤ 8.19.0
CNA
curlcurl
𝑥
≤ 8.18.0
CNA
curlcurl
𝑥
≤ 8.17.0
CNA
curlcurl
𝑥
≤ 8.16.0
CNA
curlcurl
𝑥
≤ 8.15.0
CNA
curlcurl
𝑥
≤ 8.14.1
CNA
curlcurl
𝑥
≤ 8.14.0
CNA
curlcurl
𝑥
≤ 8.13.0
CNA
curlcurl
𝑥
≤ 8.12.1
CNA
curlcurl
𝑥
≤ 8.12.0
CNA
curlcurl
𝑥
≤ 8.11.1
CNA
curlcurl
𝑥
≤ 8.11.0
CNA
curlcurl
𝑥
≤ 8.10.1
CNA
curlcurl
𝑥
≤ 8.10.0
CNA
curlcurl
𝑥
≤ 8.9.1
CNA
curlcurl
𝑥
≤ 8.9.0
CNA
curlcurl
𝑥
≤ 8.8.0
CNA
curlcurl
𝑥
≤ 8.7.1
CNA
curlcurl
𝑥
≤ 8.7.0
CNA
curlcurl
𝑥
≤ 8.6.0
CNA
curlcurl
𝑥
≤ 8.5.0
CNA
curlcurl
𝑥
≤ 8.4.0
CNA
curlcurl
𝑥
≤ 8.3.0
CNA
curlcurl
𝑥
≤ 8.2.1
CNA
curlcurl
𝑥
≤ 8.2.0
CNA
curlcurl
𝑥
≤ 8.1.2
CNA
curlcurl
𝑥
≤ 8.1.1
CNA
curlcurl
𝑥
≤ 8.1.0
CNA
curlcurl
𝑥
≤ 8.0.1
CNA
curlcurl
𝑥
≤ 8.0.0
CNA
curlcurl
𝑥
≤ 7.88.1
CNA
curlcurl
𝑥
≤ 7.88.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
8.21.0-2
fixed
trixie
no-dsa