CVE-2026-10536
ADVISORY - debianSummary
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and finally terminates the handle with curl_easy_cleanup(). During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
- curl 8.21.0~rc2-1 [trixie] - curl (Minor issue) [bookworm] - curl (Minor issue; needs rare CURLOPT_STREAM_DEPENDS + reset/cleanup) [bullseye] - curl (Vulnerable code introduced in 7.88.0; bullseye ships 7.74.0) https://curl.se/docs/CVE-2026-10536.html Introduced with: https://github.com/curl/curl/commit/71b7e0161032927cdfb4e75ea40f65b8898b3956 (curl-7_88_0) Fixed by: https://github.com/curl/curl/commit/bfbff7852f050232edd3e5ca5c6bf2021c340f5a (rc-8_21_0-1, curl-8_21_0)
EPSS Score: 0.00891 (0.552)
Common Weakness Enumeration (CWE)
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in