CVE-2026-11352
UnknownSummary
A vulnerability in curl's QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service (DoS) against a curl or libcurl client. The helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, enabling a connected QUIC peer to continuously stream empty datagrams and indefinitely stall the client.
Risk Assessment
The organization is exposed to DoS attacks that can disrupt applications using curl or libcurl for HTTP/3 communication. An attacker can stall the client, leading to service interruptions in network-dependent services.
Recommendation
Immediately update curl and libcurl to a patched version. Additionally, monitor QUIC traffic and apply bandwidth limits for HTTP/3 connections.
Original NVD description (English source)
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

