CVE Catalog

CVE-2026-11586

Unknown
Published: Translated: NVD NIST

Summary

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

Risk Assessment

A malicious WebSocket server can cause memory exhaustion on the client system, leading to denial of service (DoS) for applications using curl.

Recommendation

It is recommended to update curl to a version that introduces an upper bound on memory allocation for unacknowledged WebSocket PING frames. Also consider limiting trust in WebSocket servers.

Original NVD description (English source)

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS