CVE-2026-11586
WS Auto-PONG memory exhaustion
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
INFO
curl eventually and accurately returns "out of memory" if the "flood" is maintained long enough, but other parts of an application running out of available memory may not be as forgiving.
Switching off automatic PING responses with CURLWS_NOAUTOPONG set for CURLOPT_WS_OPTIONS(3) avoids this problem.
This bug is not considered a C mistake (not likely to have been avoided had we not been using C).
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-11586 to this issue.
CWE-770: Allocation of Resources Without Limits or Throttling
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 8.16.0 to and including 8.20.0
- Not affected versions: curl < 8.16.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/0b091328773c64e23f5
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Switch off the auto-pong feature
TIMELINE
This issue was reported to the curl project on June 8, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: evergarden1123 on hackerone (AntAISecurityLab)
- Patched-by: Stefan Eissing
Thanks a lot!