CVE-2026-11586
curl · curl
A memory exhaustion vulnerability in curl allows a malicious server to crash the application by flooding it with WebSocket PING frames that lack an upper bound on memory allocation.
Executive summary
An unauthenticated remote attacker can cause a denial-of-service (DoS) condition in curl 8.16.0 through 8.20.0 by exhausting memory through rapid WebSocket PING frames.
Vulnerability
This vulnerability occurs because curl fails to implement an upper bound on memory allocation for unacknowledged WebSocket PING frames. An unauthenticated attacker can exploit this by sending a flood of PING messages to force the client to consume all available memory.
Business impact
The CVSS score of 7.5 (High) reflects the potential for significant service disruption. Successful exploitation results in a denial-of-service, which can lead to application instability or system crashes, impacting business continuity for services relying on curl for WebSocket communication.
Remediation
Immediate Action: Upgrade to curl version 8.21.0 or later to implement the necessary memory limits.
Proactive Monitoring: Monitor system memory usage for unusual spikes during WebSocket-heavy operations and review network logs for excessive PING frame traffic.
Compensating Controls: If upgrading is not immediately feasible, developers can mitigate this issue by setting the CURLWS_NOAUTOPONG flag via CURLOPT_WS_OPTIONS to disable automatic PING responses.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the ease of triggering this denial-of-service condition, organizations should prioritize patching to version 8.21.0. If immediate patching is not possible, implementing the CURLWS_NOAUTOPONG configuration change is a necessary temporary measure to protect against resource exhaustion.