Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-11586

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 44.9%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-11586
  • Haxx » Curl » Version: 8.16.0
    cpe:2.3:a:haxx:curl:8.16.0
  • Haxx » Curl » Version: 8.17.0
    cpe:2.3:a:haxx:curl:8.17.0
  • Haxx » Curl » Version: 8.18.0
    cpe:2.3:a:haxx:curl:8.18.0


Contact Us

Shodan ® - All rights reserved