CVE-2026-9080 (GCVE-0-2026-9080)
Vulnerability from cvelistv5 – Published: 2026-07-03 06:17 – Updated: 2026-07-03 06:17
VLAI
Title
UAF after pause in socket callback
Summary
Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION`
callback triggers a use-after-free vulnerability, where libcurl attempts to
store a flag using a dangling struct pointer immediately after that pointer's
memory has been freed.
Severity
No CVSS data available.
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| curl | curl |
Affected:
8.20.0 , ≤ 8.20.0
(semver)
Affected: 8.19.0 , ≤ 8.19.0 (semver) Affected: 8.18.0 , ≤ 8.18.0 (semver) Affected: 8.17.0 , ≤ 8.17.0 (semver) Affected: 8.16.0 , ≤ 8.16.0 (semver) Affected: 8.15.0 , ≤ 8.15.0 (semver) Affected: 8.14.1 , ≤ 8.14.1 (semver) Affected: 8.14.0 , ≤ 8.14.0 (semver) Affected: 8.13.0 , ≤ 8.13.0 (semver) |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "curl",
"vendor": "curl",
"versions": [
{
"lessThanOrEqual": "8.20.0",
"status": "affected",
"version": "8.20.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.19.0",
"status": "affected",
"version": "8.19.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.18.0",
"status": "affected",
"version": "8.18.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.17.0",
"status": "affected",
"version": "8.17.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.16.0",
"status": "affected",
"version": "8.16.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.15.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.14.1",
"status": "affected",
"version": "8.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "8.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.13.0",
"status": "affected",
"version": "8.13.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers (Aisle Research)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel Stenberg"
}
],
"descriptions": [
{
"lang": "en",
"value": "Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION`\ncallback triggers a use-after-free vulnerability, where libcurl attempts to\nstore a flag using a dangling struct pointer immediately after that pointer\u0027s\nmemory has been freed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-416 Use After Free",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T06:17:34.905Z",
"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
"shortName": "curl"
},
"references": [
{
"name": "json",
"url": "https://curl.se/docs/CVE-2026-9080.json"
},
{
"name": "www",
"url": "https://curl.se/docs/CVE-2026-9080.html"
},
{
"name": "issue",
"url": "https://hackerone.com/reports/3749204"
}
],
"title": "UAF after pause in socket callback"
}
},
"cveMetadata": {
"assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
"assignerShortName": "curl",
"cveId": "CVE-2026-9080",
"datePublished": "2026-07-03T06:17:34.905Z",
"dateReserved": "2026-05-20T12:59:50.588Z",
"dateUpdated": "2026-07-03T06:17:34.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-9080",
"date": "2026-07-05",
"epss": "0.00206",
"percentile": "0.10784"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-9080\",\"sourceIdentifier\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"published\":\"2026-07-03T07:16:25.713\",\"lastModified\":\"2026-07-03T07:16:25.713\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION`\\ncallback triggers a use-after-free vulnerability, where libcurl attempts to\\nstore a flag using a dangling struct pointer immediately after that pointer\u0027s\\nmemory has been freed.\"}],\"affected\":[{\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"affectedData\":[{\"vendor\":\"curl\",\"product\":\"curl\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"8.20.0\",\"lessThanOrEqual\":\"8.20.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.19.0\",\"lessThanOrEqual\":\"8.19.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.18.0\",\"lessThanOrEqual\":\"8.18.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.17.0\",\"lessThanOrEqual\":\"8.17.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.16.0\",\"lessThanOrEqual\":\"8.16.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.15.0\",\"lessThanOrEqual\":\"8.15.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.14.1\",\"lessThanOrEqual\":\"8.14.1\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.14.0\",\"lessThanOrEqual\":\"8.14.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.13.0\",\"lessThanOrEqual\":\"8.13.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{},\"references\":[{\"url\":\"https://curl.se/docs/CVE-2026-9080.html\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"},{\"url\":\"https://curl.se/docs/CVE-2026-9080.json\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"},{\"url\":\"https://hackerone.com/reports/3749204\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…