{"id":"CURL-CVE-2026-11352","summary":"QUIC zero-length UDP datagrams busy-loop","details":"An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server\nto trigger a remote denial of service against a curl or libcurl client.\nBecause the helper function discards zero-length UDP datagrams before counting\nthem toward the per-call packet budget, a connected QUIC peer can continuously\nstream empty datagrams to indefinitely stall the client.","aliases":["CVE-2026-11352"],"modified":"2026-07-07T18:35:04.369508Z","published":"2026-06-24T08:00:00Z","database_specific":{"package":"curl","severity":"Low","www":"https://curl.se/docs/CVE-2026-11352.html","CWE":{"desc":"Loop with Unreachable Exit Condition ('Infinite Loop')","id":"CWE-835"},"URL":"https://curl.se/docs/CVE-2026-11352.json","affects":"both","issue":"https://hackerone.com/reports/3783438","last_affected":"8.20.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.18.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"6a3d0b6d631d5e9bec797306b5b41a9f440a088d"},{"fixed":"56eca2afb4806f1032872fa97d1834b3c1385276"}]}],"versions":["8.20.0","8.19.0","8.18.0","rc-8_21_0-1","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276","target":{"file":"lib/vquic/vquic.c"},"deprecated":false,"digest":{"line_hashes":["8724453169819657302314774805657094082","261317499416676525855372847859961638644","292487107086365306031949868405637843668","309311828468822053510859394110150196214","31135108115463552048891152615770408904","57915329002755719217061593695510132297","56509348555510414857213222953972427758","31559790585369494778485528927910483629","197903950728067412386560788602144590888","87962793772792683778074868188172170356"],"threshold":0.9},"id":"CURL-CVE-2026-11352-0410a26e"},{"target":{"file":"lib/vquic/vquic.c","function":"recvmsg_packets"},"deprecated":false,"digest":{"function_hash":"92915703145574751170747784747814977008","length":1810},"id":"CURL-CVE-2026-11352-71d42987","signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276"},{"target":{"file":"lib/vquic/vquic.c","function":"recvmmsg_packets"},"deprecated":false,"digest":{"function_hash":"112665705993807998852020689214883065967","length":2733},"id":"CURL-CVE-2026-11352-cae54271","signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/56eca2afb4806f1032872fa97d1834b3c1385276"}],"source":"https://curl.se/docs/CURL-CVE-2026-11352.json","vanir_signatures_modified":"2026-07-07T18:35:04Z"}}],"schema_version":"1.7.5","credits":[{"name":"vectorqueue on hackerone (AntAISecurityLab)","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}