WS Auto-PONG memory exhaustion
Summary
| CVE | CVE-2026-11586 |
|---|---|
| State | PUBLISHED |
| Assigner | curl |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-03 07:16:23 UTC |
| Updated | 2026-07-03 07:16:23 UTC |
| Description | By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages. |
Risk And Classification
Problem Types: CWE-770 Allocation of Resources Without Limits or Throttling
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Curl | Curl | affected 8.20.0 8.20.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.19.0 8.19.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.18.0 8.18.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.17.0 8.17.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.16.0 8.16.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| curl.se/docs/CVE-2026-11586.html | 2499f714-1537-4658-8207-48ae4bb9eae9 | curl.se | |
| hackerone.com/reports/3788931 | 2499f714-1537-4658-8207-48ae4bb9eae9 | hackerone.com | |
| curl.se/docs/CVE-2026-11586.json | 2499f714-1537-4658-8207-48ae4bb9eae9 | curl.se | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: evergarden1123 on hackerone (AntAISecurityLab) (en)
CNA: Stefan Eissing (en)
There are currently no legacy QID mappings associated with this CVE.