CVE-2026-11586
N/A
N/A
Summary
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| curl | curl | 8.20.0 <= 8.20.0 | affected |
| curl | curl | 8.19.0 <= 8.19.0 | affected |
| curl | curl | 8.18.0 <= 8.18.0 | affected |
| curl | curl | 8.17.0 <= 8.17.0 | affected |
| curl | curl | 8.16.0 <= 8.16.0 | affected |
Weaknesses
- CWE-770 Allocation of Resources Without Limits or Throttling
References
- https://curl.se/docs/CVE-2026-11586.json
- https://curl.se/docs/CVE-2026-11586.html
- https://hackerone.com/reports/3788931
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.