Denial of Service Vulnerability in Curl and Libcurl Products
CVE-2026-11352
Currently unrated
What is CVE-2026-11352?
A vulnerability in the QUIC UDP receive function of Curl and Libcurl allows a malicious HTTP/3 server to exploit the client by sending continuous empty UDP datagrams. This tactic can stall the client indefinitely, leading to a remote denial of service. The issue arises from the handling of zero-length UDP datagrams, which are discarded before they contribute to the packet budget during processing. As a result, an attacker can manipulate the client’s operation by flooding it with these empty datagrams.
Affected Version(s)
curl 8.20.0
curl 8.19.0
curl 8.18.0
