{
  "parent_issue": "CVE-2026-10536",
  "root_cause_summary": "libcurl's HTTP/2 stream-dependency tree uses inter-handle pointers (set.priority.parent and set.priority.children) whose lifetime is not synchronized with the referenced handles. When a child handle is reset/freed, or when a parent handle is reset/freed, or when a parent is duplicated, the remaining handles can hold stale pointers to already-freed memory.",
  "shared_sink": {
    "function": "data_priority_cleanup",
    "file": "lib/url.c",
    "line": 3587
  },
  "shared_helper": {
    "function": "priority_remove_child",
    "file": "lib/url.c",
    "line": 3510
  },
  "variants": [
    {
      "variant_id": "CVE-2026-10536-duphandle",
      "trigger": "curl_easy_duphandle(parent) after CURLOPT_STREAM_DEPENDS creates two parent handles sharing one Curl_data_prio_node; cleanup of the original parent frees the node, and cleanup of the clone dereferences it.",
      "entrypoint": "curl_easy_duphandle",
      "trust_boundary": "library_api",
      "same_root_cause": true
    },
    {
      "variant_id": "CVE-2026-10536-reset-parent",
      "trigger": "curl_easy_reset(parent) zeroes the parent's children list but not the child's parent pointer; cleanup of the child then dereferences the freed parent.",
      "entrypoint": "curl_easy_reset + curl_easy_cleanup",
      "trust_boundary": "library_api",
      "same_root_cause": true
    }
  ],
  "fix_equivalence": "The upstream fix removes the dependency tree entirely, so all variants that rely on the tree are closed by the same change."
}
