Use-After-Free Vulnerability in libcurl Affects Multiple Applications
CVE-2026-9080

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-9080?

A use-after-free vulnerability exists in libcurl, triggered when the curl_easy_pause() function is called within the context of the event-based CURLMOPT_SOCKETFUNCTION callback. This issue may allow attackers to exploit the dangling struct pointer, leading to potential arbitrary code execution or application instability. Proper handling and updates are crucial to mitigate the risks associated with this vulnerability.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joshua Rogers (Aisle Research)
Daniel Stenberg
.