CVE-2026-11352
Received
Received - Intake
curl QUIC UDP Denial of Service Vulnerability
Vulnerability report for CVE-2026-11352, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-03
Last updated on: 2026-07-03
Assigner: curl
Description
Description
An issue in curlβs QUIC UDP receive function allows a malicious HTTP/3 server
to trigger a remote denial of service against a curl or libcurl client.
Because the helper function discards zero-length UDP datagrams before counting
them toward the per-call packet budget, a connected QUIC peer can continuously
stream empty datagrams to indefinitely stall the client.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| curl | curl | From 8.18.0 (inc) to 8.20.0 (inc) |
| curl | curl | 8.21.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |