CURL-CVE-2026-11586

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-11586.html

Import Source

https://curl.se/docs/CURL-CVE-2026-11586.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-11586

Aliases

CVE-2026-11586

Published

2026-06-24T08:00:00Z

Modified

2026-06-24T08:07:05.358483Z

Summary

WS Auto-PONG memory exhaustion

Details

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

Database specific

{
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2026-11586.json",
    "last_affected": "8.20.0",
    "issue": "https://hackerone.com/reports/3788931",
    "affects": "both",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2026-11586.html",
    "CWE": {
        "desc": "Allocation of Resources Without Limits or Throttling",
        "id": "CWE-770"
    }
}

References

Credits

- evergarden1123 on hackerone (AntAISecurityLab) - FINDER
- Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.16.0

Fixed

8.21.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

0b091328773c64e23f5c4739da74527093c6a5ab

Fixed

849317ff5c5a5e13f50ec3d001e46ddffa77d8a4

Affected versions

8.*

8.16.0

8.17.0

8.18.0

8.19.0

8.20.0

Other

curl-8_16_0

curl-8_17_0

curl-8_18_0

curl-8_19_0

curl-8_20_0

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

rc-8_21_0-1

rc-8_21_0-2

Database specific

source

"https://curl.se/docs/CURL-CVE-2026-11586.json"

vanir_signatures_modified

"2026-06-24T08:07:05Z"

vanir_signatures

[
    {
        "target": {
            "file": "lib/ws.c",
            "function": "ws_enc_add_cntrl"
        },
        "id": "CURL-CVE-2026-11586-716a9721",
        "source": "https://github.com/curl/curl.git/commit/849317ff5c5a5e13f50ec3d001e46ddffa77d8a4",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 547.0,
            "function_hash": "148523427819478986185640703811775235750"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/ws.c",
            "function": "ws_flush"
        },
        "id": "CURL-CVE-2026-11586-d19cf8f9",
        "source": "https://github.com/curl/curl.git/commit/849317ff5c5a5e13f50ec3d001e46ddffa77d8a4",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1246.0,
            "function_hash": "38707464548119093148878866268571100978"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/ws.c",
            "function": "ws_cw_write"
        },
        "id": "CURL-CVE-2026-11586-e10ab93f",
        "source": "https://github.com/curl/curl.git/commit/849317ff5c5a5e13f50ec3d001e46ddffa77d8a4",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1345.0,
            "function_hash": "152653730465138214257951274397922881871"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/ws.c"
        },
        "id": "CURL-CVE-2026-11586-f4b8cf44",
        "source": "https://github.com/curl/curl.git/commit/849317ff5c5a5e13f50ec3d001e46ddffa77d8a4",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "293447003980659176917234527467508611182",
                "184333020907240303466394169148227369453",
                "297792235032380559157923729860524131899",
                "34215734356848894295068080973402626345",
                "242575203789697467402831565613094054641",
                "25887743304584439995215938468150252922",
                "281894467210479228447560309550841676530",
                "190663008595347900527559397672186726185",
                "44443287644121014087903496253634657568",
                "238018776025897558170169387945359714744",
                "321858754205892765423867630624891243030",
                "267534602929198096029553488892737581803",
                "91821830427483098291952496218993783792",
                "182442870708779635011973243033759177917",
                "80158165353685967423849559156322094550",
                "102239406834827656592309192200713103504",
                "90512970073904278651767210372953135223",
                "13008687535060876720328318729048355644",
                "226501221663708122671910077025036996000",
                "63296664067006173091319816889473904114",
                "54142548748840883216012593019733887504",
                "102968463275218497157981005314252961270",
                "112033335776164373886715487042256163228",
                "163032271653988957072147900544676185322",
                "30019208279720072884252294566129214054",
                "337455770035258984070860537195321149860",
                "312650177316440713362850982928367942611",
                "168478594837605450119258908671390163842",
                "68228626452133810012227197464834869612",
                "203650736056108616305718081764105483230",
                "279180683152164507232149443536673522226",
                "194656984258159220139661398690602800488",
                "104310717983247557129376396257213955022"
            ]
        },
        "signature_version": "v1"
    }
]