Memory Exhaustion Vulnerability in Curl Affects Multiple Versions
CVE-2026-11586
Currently unrated
What is CVE-2026-11586?
A vulnerability discovered in Curl allows a malicious server to exploit the handling of WebSocket PING frames. Curl's default behavior enables it to automatically respond to these PING frames without an upper limit on memory allocation for unacknowledged frames. Consequently, an attacker can flood Curl with a rapid series of PING messages, leading to potential memory exhaustion and a denial of service. This highlights the importance of applying security patches and utilizing best practices in server management to mitigate such risks.
Affected Version(s)
curl 8.20.0
curl 8.19.0
curl 8.18.0
