🔴 Critical  |  Source: Microsoft Security Response Center


CVE-2026-10536 is a Use-After-Free (UAF) vulnerability in the HTTP/2 stream-dependency tree handling, affecting Azure services. UAF flaws occur when a programme continues to use memory after it has been freed, which can allow an attacker to execute arbitrary code or cause a service crash. This vulnerability is particularly concerning given how broadly HTTP/2 is used across cloud-native workloads and APIs.

Security Architect’s Take: Review any Azure services and self-managed workloads that expose HTTP/2 endpoints, and apply Microsoft’s patches immediately — UAF vulnerabilities with network-reachable attack surfaces can be exploited remotely and should be treated as urgent. Consider temporarily enforcing HTTP/1.1 on critical API gateways or load balancers as a short-term mitigation if patching cannot be completed immediately.

Original advisory: CVE-2026-10536 HTTP/2 stream-dependency tree UAF