CVE-2026-11586
WS Auto-PONG memory exhaustion
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
| Vendor | curl |
| Product | curl |
| Published | Jul 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for curl curl
Be the first to know when new unknown vulnerabilities affecting curl curl are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
curl / curl
8.20.0 โค 8.20.0 8.19.0 โค 8.19.0 8.18.0 โค 8.18.0 8.17.0 โค 8.17.0 8.16.0 โค 8.16.0
References
Credits
evergarden1123 on hackerone (AntAISecurityLab) Stefan Eissing