An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server
to trigger a remote denial of service against a curl or libcurl client.
Because the helper function discards zero-length UDP datagrams before counting
them toward the per-call packet budget, a connected QUIC peer can continuously
stream empty datagrams to indefinitely stall the client.
Metrics
Affected Vendors & Products
References
History
Fri, 03 Jul 2026 07:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Curl
Curl curl |
|
| Vendors & Products |
Curl
Curl curl |
Fri, 03 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client. | |
| Title | QUIC zero-length UDP datagrams busy-loop | |
| References |
|
Status: PUBLISHED
Assigner: curl
Published:
Updated: 2026-07-03T06:12:10.777Z
Reserved: 2026-06-05T11:23:43.389Z
Link: CVE-2026-11352
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-03T07:30:09Z