Denial of Service Vulnerability in Curl and Libcurl Products
CVE-2026-11352

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-11352?

A vulnerability in the QUIC UDP receive function of Curl and Libcurl allows a malicious HTTP/3 server to exploit the client by sending continuous empty UDP datagrams. This tactic can stall the client indefinitely, leading to a remote denial of service. The issue arises from the handling of zero-length UDP datagrams, which are discarded before they contribute to the packet budget during processing. As a result, an attacker can manipulate the client’s operation by flooding it with these empty datagrams.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

vectorqueue on hackerone (AntAISecurityLab)
Stefan Eissing
.