# Verification Report: CVE-2026-10536

## Fix Summary

CVE-2026-10536 is a heap use-after-free in libcurl's HTTP/2 stream-dependency bookkeeping. The root cause is that `curl_easy_setopt(child, CURLOPT_STREAM_DEPENDS, parent)` creates a dependency node in `parent->set.priority.children` that points back at `child`, but `curl_easy_reset(child)` zeroes `child->set.priority` without removing that node. When the child handle is later freed and the parent is cleaned up, `data_priority_cleanup()` dereferences the freed child through the stale node. The chosen fix matches the upstream remediation for this deprecated feature: make `CURLOPT_STREAM_DEPENDS` and `CURLOPT_STREAM_DEPENDS_E` no-ops in `lib/setopt.c`. Because the only way to populate the dependency tree is through these two options, turning them into no-ops prevents the faulty bookkeeping from ever being created, eliminating the use-after-free while preserving backward compatibility of the API (the options are accepted but ignored).

## Changes Made

- `lib/setopt.c`
  - In `setopt_pointers()`, the `CURLOPT_STREAM_DEPENDS` and `CURLOPT_STREAM_DEPENDS_E` cases are changed from adding a child dependency to doing nothing.
  - A short comment explains that stream dependencies are no longer implemented but the options are accepted for backward compatibility.

No other files are modified. The remaining priority/dependency code in `lib/url.c` and `lib/http2.c` becomes unreachable through the public API, so it cannot trigger the bug.

## Verification Steps

1. Reuse the curl repository from the prepared project cache at the vulnerable commit (`curl-8_20_0`, `a05f34973e`).
2. Apply `bundle/coding/proposed_fix.diff` to `lib/setopt.c`.
3. Build a static, AddressSanitizer-enabled libcurl with the patch using the same configuration as the reproduction script (`--with-nghttp2 --with-openssl --enable-debug --disable-shared --enable-static`).
4. Compile the minimal C reproducer from the reproduction script, which:
   - creates a parent and child easy handle,
   - sets `CURLOPT_STREAM_DEPENDS` on the child to depend on the parent,
   - calls `curl_easy_reset(child)` and `curl_easy_cleanup(child)`,
   - finally calls `curl_easy_cleanup(parent)`.
5. Run the patched reproducer and confirm there is no AddressSanitizer error.

For comparison, the same reproducer was also linked against the unpatched vulnerable build; it produced a deterministic `heap-use-after-free` report in `priority_remove_child` at `lib/url.c:3516`, confirming the bug is present without the patch.

## Test Results

- **Vulnerable build:** AddressSanitizer reports `heap-use-after-free` in `priority_remove_child` (`lib/url.c:3516`) during `curl_easy_cleanup(parent)`.
- **Patched build:** Reproducer exits cleanly with exit code 0 and no sanitizer output.
- **Patch application:** `patch -p1` succeeds with the exact diff in `bundle/coding/proposed_fix.diff`.

## Remaining Concerns

- The fix intentionally removes the functionality of the deprecated dependency options rather than repairing the priority tree cleanup. This is consistent with the upstream resolution, which removed the feature entirely in 8.21.0.
- Applications relying on HTTP/2 stream dependencies for prioritization will no longer get that behavior. This is acceptable because the feature was already deprecated and rarely implemented by servers.
- Additional hardening: future maintainers could remove the now-dead priority-tree code in `lib/url.c` and `lib/http2.c` to reduce attack surface and binary size, but that is a larger cleanup change, not a minimal security fix.
