Curl QUIC HTTP/3 UDP DoS from Empty Datagram Abuse
CVE-2026-11352 Published on July 3, 2026
QUIC zero-length UDP datagrams busy-loop
An issue in curls QUIC UDP receive function allows a malicious HTTP/3 server
to trigger a remote denial of service against a curl or libcurl client.
Because the helper function discards zero-length UDP datagrams before counting
them toward the per-call packet budget, a connected QUIC peer can continuously
stream empty datagrams to indefinitely stall the client.
Vulnerability Analysis
CVE-2026-11352 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Products Associated with CVE-2026-11352
Want to know whenever a new CVE is published for Haxx Curl? stack.watch will email you.
Affected Versions
curl:- Version 8.20.0, <= 8.20.0 is affected.
- Version 8.19.0, <= 8.19.0 is affected.
- Version 8.18.0, <= 8.18.0 is affected.