CVE-2026-11586

EUVD-2026-41500
By default, curl automatically responds to WebSocket PING frames. Because curl
lacks an upper bound on memory allocation for unacknowledged frames, a
malicious server can exhaust all available memory by flooding curl with rapid,
sequential PING messages.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
curlCNA
UNKNOWN
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
curlcurl
𝑥
≤ 8.20.0
CNA
curlcurl
𝑥
≤ 8.19.0
CNA
curlcurl
𝑥
≤ 8.18.0
CNA
curlcurl
𝑥
≤ 8.17.0
CNA
curlcurl
𝑥
≤ 8.16.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u14
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u16
fixed
forky
vulnerable
sid
8.21.0-2
fixed
trixie
8.14.1-2+deb13u3
fixed