{"id":"CURL-CVE-2026-11586","summary":"WS Auto-PONG memory exhaustion","details":"By default, curl automatically responds to WebSocket PING frames. Because curl\nlacks an upper bound on memory allocation for unacknowledged frames, a\nmalicious server can exhaust all available memory by flooding curl with rapid,\nsequential PING messages.","aliases":["CVE-2026-11586"],"modified":"2026-06-24T08:07:05.358483Z","published":"2026-06-24T08:00:00Z","database_specific":{"package":"curl","www":"https://curl.se/docs/CVE-2026-11586.html","severity":"Low","issue":"https://hackerone.com/reports/3788931","URL":"https://curl.se/docs/CVE-2026-11586.json","last_affected":"8.20.0","affects":"both","CWE":{"desc":"Allocation of Resources Without Limits or Throttling","id":"CWE-770"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.16.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"0b091328773c64e23f5c4739da74527093c6a5ab"},{"fixed":"849317ff5c5a5e13f50ec3d001e46ddffa77d8a4"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","8.16.0","rc-8_21_0-2","rc-8_21_0-1","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/849317ff5c5a5e13f50ec3d001e46ddffa77d8a4","signature_type":"Function","signature_version":"v1","id":"CURL-CVE-2026-11586-716a9721","digest":{"function_hash":"148523427819478986185640703811775235750","length":547},"deprecated":false,"target":{"function":"ws_enc_add_cntrl","file":"lib/ws.c"}},{"source":"https://github.com/curl/curl.git/commit/849317ff5c5a5e13f50ec3d001e46ddffa77d8a4","signature_type":"Function","signature_version":"v1","id":"CURL-CVE-2026-11586-d19cf8f9","digest":{"function_hash":"38707464548119093148878866268571100978","length":1246},"deprecated":false,"target":{"function":"ws_flush","file":"lib/ws.c"}},{"source":"https://github.com/curl/curl.git/commit/849317ff5c5a5e13f50ec3d001e46ddffa77d8a4","signature_type":"Function","signature_version":"v1","id":"CURL-CVE-2026-11586-e10ab93f","digest":{"function_hash":"152653730465138214257951274397922881871","length":1345},"deprecated":false,"target":{"function":"ws_cw_write","file":"lib/ws.c"}},{"source":"https://github.com/curl/curl.git/commit/849317ff5c5a5e13f50ec3d001e46ddffa77d8a4","signature_type":"Line","signature_version":"v1","id":"CURL-CVE-2026-11586-f4b8cf44","digest":{"line_hashes":["293447003980659176917234527467508611182","184333020907240303466394169148227369453","297792235032380559157923729860524131899","34215734356848894295068080973402626345","242575203789697467402831565613094054641","25887743304584439995215938468150252922","281894467210479228447560309550841676530","190663008595347900527559397672186726185","44443287644121014087903496253634657568","238018776025897558170169387945359714744","321858754205892765423867630624891243030","267534602929198096029553488892737581803","91821830427483098291952496218993783792","182442870708779635011973243033759177917","80158165353685967423849559156322094550","102239406834827656592309192200713103504","90512970073904278651767210372953135223","13008687535060876720328318729048355644","226501221663708122671910077025036996000","63296664067006173091319816889473904114","54142548748840883216012593019733887504","102968463275218497157981005314252961270","112033335776164373886715487042256163228","163032271653988957072147900544676185322","30019208279720072884252294566129214054","337455770035258984070860537195321149860","312650177316440713362850982928367942611","168478594837605450119258908671390163842","68228626452133810012227197464834869612","203650736056108616305718081764105483230","279180683152164507232149443536673522226","194656984258159220139661398690602800488","104310717983247557129376396257213955022"],"threshold":0.9},"deprecated":false,"target":{"file":"lib/ws.c"}}],"source":"https://curl.se/docs/CURL-CVE-2026-11586.json","vanir_signatures_modified":"2026-06-24T08:07:05Z"}}],"schema_version":"1.7.5","credits":[{"name":"evergarden1123 on hackerone (AntAISecurityLab)","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}