Denial of Service via WebSocket PING flood
Summary
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages. A flaw was found in curl. A malicious server can exploit this vulnerability by sending rapid, sequential WebSocket PING messages. Due to a lack of an upper bound on memory allocation for unacknowledged frames, curl can be forced to exhaust all available memory, leading to a denial of service. This Important denial of service vulnerability in curl allows a remote malicious server to exhaust system memory. By default, curl automatically responds to WebSocket PING frames without an upper bound on memory allocation, enabling an attacker to trigger resource exhaustion and cause service unavailability in affected Red Hat products. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-770. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7.
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 59 seconds ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.