<Vulnerability name="CVE-2026-9080">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-03T06:17:34</PublicDate>
    <Bugzilla id="2496755" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496755" xml:lang="en:us">
libcurl: libcurl: Use-after-free via curl_easy_pause() in CURLMOPT_SOCKETFUNCTION callback
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-825</CWE>
    <Details xml:lang="en:us" source="Mitre">
Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION`
callback triggers a use-after-free vulnerability, where libcurl attempts to
store a flag using a dangling struct pointer immediately after that pointer's
memory has been freed.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in libcurl. When `curl_easy_pause()` is called within the event-based `CURLMOPT_SOCKETFUNCTION` callback, a use-after-free vulnerability is triggered. This occurs because libcurl attempts to store a flag using a pointer to memory that has already been freed. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code.
    </Details>
    <Statement xml:lang="en:us">
This Important flaw in libcurl stems from a use-after-free vulnerability when `curl_easy_pause()` is called within the `CURLMOPT_SOCKETFUNCTION` callback. This could allow an attacker to achieve denial of service or arbitrary code execution without requiring user interaction or elevated privileges. While dependent on a specific application implementation, the broad adoption of libcurl means Red Hat products leveraging this callback pattern could be affected.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-24T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:29017">RHSA-2026:29017</Advisory>
        <Package name="curl-main">curl-main-8.21.0-0.1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-02T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:34975">RHSA-2026:34975</Advisory>
        <Package name="rust-main">rust-main-1.96.1-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>dotnet8.0</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_core_services:1">
        <ProductName>Red Hat JBoss Core Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libcurl-1.dll</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_core_services:1">
        <ProductName>Red Hat JBoss Core Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libcurl.so</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-9080
https://nvd.nist.gov/vuln/detail/CVE-2026-9080
https://curl.se/docs/CVE-2026-9080.html
https://curl.se/docs/CVE-2026-9080.json
https://hackerone.com/reports/3749204
    </References>
</Vulnerability>