{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-11586",
  "aliases": [
    "CVE-2026-11586"
  ],
  "summary": "WS Auto-PONG memory exhaustion",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-11586.json",
    "www": "https://curl.se/docs/CVE-2026-11586.html",
    "issue": "https://hackerone.com/reports/3788931",
    "CWE": {
      "id": "CWE-770",
      "desc": "Allocation of Resources Without Limits or Throttling"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.16.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "0b091328773c64e23f5c4739da74527093c6a5ab"},
             {"fixed": "849317ff5c5a5e13f50ec3d001e46ddffa77d8a4"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "evergarden1123 on hackerone (AntAISecurityLab)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "By default, curl automatically responds to WebSocket PING frames. Because curl\nlacks an upper bound on memory allocation for unacknowledged frames, a\nmalicious server can exhaust all available memory by flooding curl with rapid,\nsequential PING messages."
}