Impact
libcurl has a heap‑based use‑after‑free flaw that occurs when an application configures HTTP/2 stream dependencies through the CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E options, then calls curl_easy_reset() and subsequently curl_easy_cleanup(). During the final cleanup libcurl attempts to access and modify a freed internal structure, which can corrupt memory and potentially allow an attacker to execute arbitrary code if the freed memory contains attacker‑controlled data. This flaw can compromise confidentiality, integrity, and availability of the affected system. The weakness is a classic use‑after‑free (CWE‑416).
Affected Systems
All installations of libcurl that expose the vulnerable HTTP/2 stream‑dependency API are affected. The advisory lists the curl:curl vendor product but does not specify explicit version ranges, so any libcurl build that supports CURLOPT_STREAM_DEPENDS and CURLOPT_STREAM_DEPENDS_E should be treated as at risk until a patch is released.
Risk and Exploitability
No CVSS score is publicly assigned, but the presence of a heap‑based use‑after‑free in a widely used networking library implies high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation to date. The attack vector is inferred to be remote, as an attacker can craft an HTTP/2 request that triggers the vulnerable sequence of reset and cleanup on the client. If the exploitable conditions are met, the attacker could potentially achieve remote code execution on the client system. Until a vendor patch is applied or the vulnerable API is disabled, the risk remains elevated for environments that use this feature.
OpenCVE Enrichment