CVE-2026-10536

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT STREAM DEPENDS or CURLOPT STREAM DEPENDS E, subsequently invokes curl easy reset(), and finally terminates the handle with curl easy cleanup(). During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already deallocated during the reset operation.