Memory Exhaustion Vulnerability in Curl Affects Multiple Versions
CVE-2026-11586

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-11586?

A vulnerability discovered in Curl allows a malicious server to exploit the handling of WebSocket PING frames. Curl's default behavior enables it to automatically respond to these PING frames without an upper limit on memory allocation for unacknowledged frames. Consequently, an attacker can flood Curl with a rapid series of PING messages, leading to potential memory exhaustion and a denial of service. This highlights the importance of applying security patches and utilizing best practices in server management to mitigate such risks.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

evergarden1123 on hackerone (AntAISecurityLab)
Stefan Eissing
.