Straightforward use-after-free in libcurl when processing MQTTs. The mqtt_doing() routine will attempt to send any remainder of outgoing packet data using the mq->sendleftovers pointer, freeing that pointer, but then never clearing the reference. If that function can get triggered again, it will lead to a double free.

Where glibc is used, that can be used for a tcache poisoning attack to leak heap metadata as well as craft an arbitrary write, though you would need to target it to how the application is handling and storing message data. The curl staff and the researcher have some back and forth on the exploitability of the issue, ultimately the curl staff agree on it being a security issue and resolve it.