CURL-CVE-2026-11352

Source
https://curl.se/docs/CVE-2026-11352.html
Import Source
https://curl.se/docs/CURL-CVE-2026-11352.json
JSON Data
https://api.test.osv.dev/v1/vulns/CURL-CVE-2026-11352
Aliases
Published
2026-06-24T08:00:00Z
Modified
2026-07-07T18:35:04.369508Z
Summary
QUIC zero-length UDP datagrams busy-loop
Details

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

Database specific
{
    "package": "curl",
    "affects": "both",
    "last_affected": "8.20.0",
    "CWE": {
        "id": "CWE-835",
        "desc": "Loop with Unreachable Exit Condition ('Infinite Loop')"
    },
    "issue": "https://hackerone.com/reports/3783438",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2026-11352.html",
    "URL": "https://curl.se/docs/CVE-2026-11352.json"
}
References
Credits
    • vectorqueue on hackerone (AntAISecurityLab) - FINDER
    • Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
8.18.0
Fixed
8.21.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

8.*
8.18.0
8.19.0
8.20.0
Other
curl-8_18_0
curl-8_19_0
curl-8_20_0
rc-8_18_0-3
rc-8_19_0-1
rc-8_19_0-2
rc-8_19_0-3
rc-8_20_0-1
rc-8_20_0-2
rc-8_20_0-3
rc-8_21_0-1

Database specific

vanir_signatures
[
    {
        "id": "CURL-CVE-2026-11352-0410a26e",
        "digest": {
            "line_hashes": [
                "8724453169819657302314774805657094082",
                "261317499416676525855372847859961638644",
                "292487107086365306031949868405637843668",
                "309311828468822053510859394110150196214",
                "31135108115463552048891152615770408904",
                "57915329002755719217061593695510132297",
                "56509348555510414857213222953972427758",
                "31559790585369494778485528927910483629",
                "197903950728067412386560788602144590888",
                "87962793772792683778074868188172170356"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "lib/vquic/vquic.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "id": "CURL-CVE-2026-11352-71d42987",
        "digest": {
            "length": 1810.0,
            "function_hash": "92915703145574751170747784747814977008"
        },
        "target": {
            "function": "recvmsg_packets",
            "file": "lib/vquic/vquic.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "id": "CURL-CVE-2026-11352-cae54271",
        "digest": {
            "length": 2733.0,
            "function_hash": "112665705993807998852020689214883065967"
        },
        "target": {
            "function": "recvmmsg_packets",
            "file": "lib/vquic/vquic.c"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276",
        "deprecated": false,
        "signature_type": "Function"
    }
]
source
"https://curl.se/docs/CURL-CVE-2026-11352.json"
vanir_signatures_modified
"2026-07-07T18:35:04Z"