libcurl UAF via curl_easy_pause() in SOCKETFUNCTION
CVE-2026-9080 Published on July 3, 2026

UAF after pause in socket callback
Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.

NVD


Products Associated with CVE-2026-9080

stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Haxx Curl. Just hit a watch button to start following.

 
 

Affected Versions

curl: