CVE-2026-10536
No CVSS score published
Source data as of:
At a glance
- Severity
- No CVSS score published
- CVSS
- No CVSS score in the NVD record
- EPSS
- EPSS not provided by FIRST.org for this CVE
- CISA KEV
- No
- Published
- 2026-07-03 · Modified: 2026-07-03
- References
- Jump to references (3)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Reference https://curl.se/docs/CVE-2026-10536.html
- Reference https://curl.se/docs/CVE-2026-10536.json
- Reference https://hackerone.com/reports/3751697