From 86b39c2226d7114c7720230b5662aa352e1e631f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 27 Mar 2026 14:49:24 +0100
Subject: [PATCH] transfer: clear the URL pointer in OOM to avoid UAF

Since the pointer can be extracted with CURLINFO_EFFECTIVE_URL later it
must not linger pointing to freed memory.

Found by Codex Security

Closes #21123
---
 lib/transfer.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/transfer.c b/lib/transfer.c
index ced231d0f0..2eb8f22511 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -469,6 +469,8 @@ CURLcode Curl_pretransfer(struct Curl_easy *data)
     uc = curl_url_get(data->set.uh,
                       CURLUPART_URL, &data->set.str[STRING_SET_URL], 0);
     if(uc) {
+      /* clear the pointer to not point to freed memory anymore */
+      Curl_bufref_set(&data->state.url, NULL, 0, NULL);
       failf(data, "No URL set");
       return CURLE_URL_MALFORMAT;
     }