CVE-2026-11352
Received Received - Intake

curl QUIC UDP Denial of Service Vulnerability

Vulnerability report for CVE-2026-11352, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
curl curl From 8.18.0 (inc) to 8.20.0 (inc)
curl curl 8.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11352 is a vulnerability in curl's QUIC UDP receive function that allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client.

The issue arises because a helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget. This enables a connected QUIC peer to continuously send empty datagrams, causing the client to stall indefinitely by entering an infinite loop.

This flaw affects curl versions 8.18.0 to 8.20.0 and platforms that use the recvmmsg() function call. It was fixed in curl version 8.21.0.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition on affected curl or libcurl clients.

A malicious HTTP/3 server can exploit this issue by sending continuous zero-length UDP datagrams, which stalls the client indefinitely and prevents it from functioning properly.

This can disrupt applications or services relying on curl or libcurl for HTTP/3 communication, potentially leading to service unavailability or degraded performance.

Mitigation Strategies

To mitigate this vulnerability, the curl project recommends upgrading to curl version 8.21.0, which contains the fix.

Alternatively, you can apply the patch provided for this issue and rebuild your current curl version.

Another immediate mitigation is to avoid using HTTP/3, which is the protocol involved in triggering this denial of service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart