An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
{
"package": "curl",
"affects": "both",
"last_affected": "8.20.0",
"CWE": {
"id": "CWE-835",
"desc": "Loop with Unreachable Exit Condition ('Infinite Loop')"
},
"issue": "https://hackerone.com/reports/3783438",
"severity": "Low",
"www": "https://curl.se/docs/CVE-2026-11352.html",
"URL": "https://curl.se/docs/CVE-2026-11352.json"
}[
{
"id": "CURL-CVE-2026-11352-0410a26e",
"digest": {
"line_hashes": [
"8724453169819657302314774805657094082",
"261317499416676525855372847859961638644",
"292487107086365306031949868405637843668",
"309311828468822053510859394110150196214",
"31135108115463552048891152615770408904",
"57915329002755719217061593695510132297",
"56509348555510414857213222953972427758",
"31559790585369494778485528927910483629",
"197903950728067412386560788602144590888",
"87962793772792683778074868188172170356"
],
"threshold": 0.9
},
"target": {
"file": "lib/vquic/vquic.c"
},
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CURL-CVE-2026-11352-71d42987",
"digest": {
"length": 1810.0,
"function_hash": "92915703145574751170747784747814977008"
},
"target": {
"function": "recvmsg_packets",
"file": "lib/vquic/vquic.c"
},
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276",
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CURL-CVE-2026-11352-cae54271",
"digest": {
"length": 2733.0,
"function_hash": "112665705993807998852020689214883065967"
},
"target": {
"function": "recvmmsg_packets",
"file": "lib/vquic/vquic.c"
},
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276",
"deprecated": false,
"signature_type": "Function"
}
]
"https://curl.se/docs/CURL-CVE-2026-11352.json"
"2026-07-07T18:35:04Z"