From a43ea5943bb553c73777d33e353ccffcc52a23fb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 18 Mar 2026 10:12:46 +0100
Subject: [PATCH] http2: clear the h2 session at delete

When calling nghttp2 to delete session, clear the pointer to avoid risk
of UAF.

Pointed out by Codex Security

Closes #20975
---
 lib/http2.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/http2.c b/lib/http2.c
index 68ee4805e8..56aa798d0d 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -203,6 +203,7 @@ static void cf_h2_ctx_close(struct cf_h2_ctx *ctx)
 {
   if(ctx->h2) {
     nghttp2_session_del(ctx->h2);
+    ctx->h2 = NULL;
   }
 }