Curl QUIC HTTP/3 UDP DoS from Empty Datagram Abuse
CVE-2026-11352 Published on July 3, 2026

QUIC zero-length UDP datagrams busy-loop
An issue in curls QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

NVD

Vulnerability Analysis

CVE-2026-11352 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Products Associated with CVE-2026-11352

Want to know whenever a new CVE is published for Haxx Curl? stack.watch will email you.

 

Affected Versions

curl: