By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
History

Fri, 03 Jul 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl curl
Vendors & Products Curl
Curl curl

Fri, 03 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
Title WS Auto-PONG memory exhaustion
References

cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published:

Updated: 2026-07-03T06:13:04.448Z

Reserved: 2026-06-08T12:17:42.037Z

Link: CVE-2026-11586

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T07:30:09Z