{"api_version":"1","generated_at":"2026-07-03T18:06:40+00:00","cve":"CVE-2026-11586","urls":{"html":"https://cve.report/CVE-2026-11586","api":"https://cve.report/api/cve/CVE-2026-11586.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-11586","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-11586"},"summary":{"title":"WS Auto-PONG memory exhaustion","description":"By default, curl automatically responds to WebSocket PING frames. Because curl\nlacks an upper bound on memory allocation for unacknowledged frames, a\nmalicious server can exhaust all available memory by flooding curl with rapid,\nsequential PING messages.","state":"PUBLISHED","assigner":"curl","published_at":"2026-07-03 07:16:23","updated_at":"2026-07-03 07:16:23"},"problem_types":["CWE-770 Allocation of Resources Without Limits or Throttling"],"metrics":[],"references":[{"url":"https://curl.se/docs/CVE-2026-11586.html","name":"https://curl.se/docs/CVE-2026-11586.html","refsource":"2499f714-1537-4658-8207-48ae4bb9eae9","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://hackerone.com/reports/3788931","name":"https://hackerone.com/reports/3788931","refsource":"2499f714-1537-4658-8207-48ae4bb9eae9","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://curl.se/docs/CVE-2026-11586.json","name":"https://curl.se/docs/CVE-2026-11586.json","refsource":"2499f714-1537-4658-8207-48ae4bb9eae9","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-11586","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11586","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.20.0 8.20.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.19.0 8.19.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.18.0 8.18.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.17.0 8.17.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.16.0 8.16.0 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"evergarden1123 on hackerone (AntAISecurityLab)","lang":"en"},{"source":"CNA","value":"Stefan Eissing","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"curl","vendor":"curl","versions":[{"lessThanOrEqual":"8.20.0","status":"affected","version":"8.20.0","versionType":"semver"},{"lessThanOrEqual":"8.19.0","status":"affected","version":"8.19.0","versionType":"semver"},{"lessThanOrEqual":"8.18.0","status":"affected","version":"8.18.0","versionType":"semver"},{"lessThanOrEqual":"8.17.0","status":"affected","version":"8.17.0","versionType":"semver"},{"lessThanOrEqual":"8.16.0","status":"affected","version":"8.16.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"evergarden1123 on hackerone (AntAISecurityLab)"},{"lang":"en","type":"remediation developer","value":"Stefan Eissing"}],"descriptions":[{"lang":"en","value":"By default, curl automatically responds to WebSocket PING frames. Because curl\nlacks an upper bound on memory allocation for unacknowledged frames, a\nmalicious server can exhaust all available memory by flooding curl with rapid,\nsequential PING messages."}],"problemTypes":[{"descriptions":[{"description":"CWE-770 Allocation of Resources Without Limits or Throttling","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-07-03T06:13:04.448Z","orgId":"2499f714-1537-4658-8207-48ae4bb9eae9","shortName":"curl"},"references":[{"name":"json","url":"https://curl.se/docs/CVE-2026-11586.json"},{"name":"www","url":"https://curl.se/docs/CVE-2026-11586.html"},{"name":"issue","url":"https://hackerone.com/reports/3788931"}],"title":"WS Auto-PONG memory exhaustion"}},"cveMetadata":{"assignerOrgId":"2499f714-1537-4658-8207-48ae4bb9eae9","assignerShortName":"curl","cveId":"CVE-2026-11586","datePublished":"2026-07-03T06:13:04.448Z","dateReserved":"2026-06-08T12:17:42.037Z","dateUpdated":"2026-07-03T06:13:04.448Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-03 07:16:23","lastModifiedDate":"2026-07-03 07:16:23","problem_types":["CWE-770 Allocation of Resources Without Limits or Throttling"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"11586","Ordinal":"1","Title":"WS Auto-PONG memory exhaustion","CVE":"CVE-2026-11586","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"11586","Ordinal":"1","NoteData":"By default, curl automatically responds to WebSocket PING frames. Because curl\nlacks an upper bound on memory allocation for unacknowledged frames, a\nmalicious server can exhaust all available memory by flooding curl with rapid,\nsequential PING messages.","Type":"Description","Title":"WS Auto-PONG memory exhaustion"}]}}}