By default, curl automatically responds to WebSocket PING frames. Because curl
lacks an upper bound on memory allocation for unacknowledged frames, a
malicious server can exhaust all available memory by flooding curl with rapid,
sequential PING messages.
References
| Link | Resource |
|---|---|
| https://curl.se/docs/CVE-2026-11586.html | Patch Vendor Advisory |
| https://curl.se/docs/CVE-2026-11586.json | Vendor Advisory |
| https://hackerone.com/reports/3788931 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
07 Jul 2026, 17:59
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Haxx curl
Haxx |
|
| References | () https://curl.se/docs/CVE-2026-11586.html - Patch, Vendor Advisory | |
| References | () https://curl.se/docs/CVE-2026-11586.json - Vendor Advisory | |
| References | () https://hackerone.com/reports/3788931 - Exploit, Issue Tracking, Third Party Advisory | |
| CWE | CWE-770 | |
| CPE | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* |
06 Jul 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
03 Jul 2026, 07:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-03 07:16
Updated : 2026-07-07 17:59
NVD link : CVE-2026-11586
Mitre link : CVE-2026-11586
CVE.ORG link : CVE-2026-11586
JSON object : View
Products Affected
haxx
- curl
CWE
CWE-770
Allocation of Resources Without Limits or Throttling
