CVE-2026-11586 PUBLISHED

WS Auto-PONG memory exhaustion

Assigner: curl
Reserved: 08.06.2026 Published: 03.07.2026 Updated: 03.07.2026

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

Product Status

Vendor curl
Product curl
Versions Default: unaffected
  • affected from 8.20.0 to 8.20.0 (incl.)
  • affected from 8.19.0 to 8.19.0 (incl.)
  • affected from 8.18.0 to 8.18.0 (incl.)
  • affected from 8.17.0 to 8.17.0 (incl.)
  • affected from 8.16.0 to 8.16.0 (incl.)

Credits

  • evergarden1123 on hackerone (AntAISecurityLab) finder
  • Stefan Eissing remediation developer

References

Problem Types

  • CWE-770 Allocation of Resources Without Limits or Throttling