Vulnerability Details CVE-2026-11586
By default, curl automatically responds to WebSocket PING frames. Because curl
lacks an upper bound on memory allocation for unacknowledged frames, a
malicious server can exhaust all available memory by flooding curl with rapid,
sequential PING messages.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 44.9%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-11586
-
cpe:2.3:a:haxx:curl:8.16.0
-
cpe:2.3:a:haxx:curl:8.17.0
-
cpe:2.3:a:haxx:curl:8.18.0