CVE-2026-11586
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/07/2026
Last modified:
03/07/2026
Description
By default, curl automatically responds to WebSocket PING frames. Because curl<br />
lacks an upper bound on memory allocation for unacknowledged frames, a<br />
malicious server can exhaust all available memory by flooding curl with rapid,<br />
sequential PING messages.



