Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Unrated

UAF after pause in socket callback

IdentifiersCVE-2026-9080CWE-416

CVE-2026-9080 is a low-severity use-after-free vulnerability in libcurl’s multi socket callback lifecycle. When an application uses the event-driven multi interface and calls curl_easy_pause() from within the CURLMOPT_SOCKETFUNCTION socket callback, libcurl can free an internal structure and then immediately attempt to store a flag through the now-dangling pointer. In other words, pausing a transfer from inside the socket callback can leave libcurl writing through a freed internal pointer. The issue affects libcurl in curl versions 8.13.0 through 8.20.0 inclusive, was introduced by commit cfc657a48d, and was fixed in curl 8.21.0 by commit 5ab34cba42e4ee4282fe. The curl command-line tool is not affected.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of the flaw causes a use-after-free memory-safety condition inside libcurl. Depending on allocator behavior, runtime conditions, and application integration, this can lead to process instability, crashes, or potentially other unintended memory corruption effects within the consuming application. The published material characterizes the issue as low severity, and the available information does not confirm in-the-wild exploitation.

Mitigation

If you can’t patch tonight, do this now.

Avoid calling curl_easy_pause() from within the CURLMOPT_SOCKETFUNCTION socket callback in affected deployments. Where code changes are feasible, restructure event-handling logic so pausing occurs outside the socket callback path. This is a workaround only; upgrading or patching remains the preferred mitigation.

Remediation

Patch, then assume compromise.

Upgrade curl/libcurl to version 8.21.0 or later, which contains the fix for CVE-2026-9080. If immediate upgrade is not possible, apply the upstream patch corresponding to fix commit 5ab34cba42e4ee4282fe and rebuild affected software. Verify that embedded or bundled libcurl copies in dependent applications are also updated, since the issue affects libcurl integrations rather than the curl CLI.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
security affairsNews
Jun 25, 2026
Curl Fixes a 25-Year-Old Bug in Its Largest CVE Release Yet - Security Affairs

A use-after-free vulnerability in libcurl's multi socket callback lifecycle where calling curl_easy_pause() inside a socket callback could leave libcurl writing through a freed internal pointer.

Read more
cyber security newsNews
Jun 25, 2026
25-Year-Old Vulnerability in curl Used by 30 Billion Devices Finally Patched

A use-after-free vulnerability in curl/libcurl triggered when curl_easy_pause() is called inside a multi socket callback.

Read more
security weekNews
Jun 25, 2026
25-Year-Old Vulnerability Patched in Curl - SecurityWeek

A curl/libcurl use-after-free vulnerability.

Read more
daniel haxx seNews
Jun 24, 2026
curl 8.21.0 | daniel.haxx.se

A low-severity curl/libcurl use-after-free vulnerability triggered after a pause in a socket callback.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-9080
NVD
nvd.nist.gov/vuln/detail/CVE-2026-9080
MITRE CWE · CWE-416
cwe.mitre.org