7.5
CVE-2026-11586
- EPSS 0.86%
- Veröffentlicht 03.07.2026 06:13:04
- Zuletzt bearbeitet 07.07.2026 17:59:46
- Quelle 2499f714-1537-4658-8207-48ae4b
- CVE-Watchlists
- Unerledigt
WS Auto-PONG memory exhaustion
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.86% | 0.542 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://hackerone.com/reports/3788931
https://curl.se/docs/CVE-2026-11586.html
https://curl.se/docs/CVE-2026-11586.json