WS Auto-PONG memory exhaustion
==============================

Project curl Security Advisory, June 24 2026
[Permalink](https://curl.se/docs/CVE-2026-11586.html)

VULNERABILITY
-------------

By default, curl automatically responds to WebSocket PING frames. Because curl
lacks an upper bound on memory allocation for unacknowledged frames, a
malicious server can exhaust all available memory by flooding curl with rapid,
sequential PING messages.

INFO
----

curl eventually and accurately returns "out of memory" if the "flood" is
maintained long enough, but other parts of an application running out of
available memory may not be as forgiving.

Switching off automatic PING responses with `CURLWS_NOAUTOPONG` set for
CURLOPT_WS_OPTIONS(3) avoids this problem.

This bug is not considered a *C mistake* (not likely to have been avoided had
we not been using C).

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-11586 to this issue.

CWE-770: Allocation of Resources Without Limits or Throttling

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.16.0 to and including 8.20.0
- Not affected versions: curl < 8.16.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/0b091328773c64e23f5

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/849317ff5c5a5e13f50ec3d0

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl and libcurl to version 8.21.0

 B - Apply the patch to your version and rebuild

 C - Switch off the auto-pong feature

TIMELINE
---------

This issue was reported to the curl project on June 8, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: evergarden1123 on hackerone (AntAISecurityLab)
- Patched-by: Stefan Eissing

Thanks a lot!