CVE-2026-11586

Published: July 2, 2026Last modified: July 6, 2026

Description

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTScurlFixed (8.21.0-r0)
StreamcurlFixed (8.21.0-r0)
Hardened ContainersStreamcurlFixed (8.21.0-r0)

References

ON THIS PAGE