to trigger a remote denial of service against a curl or libcurl client.
Because the helper function discards zero-length UDP datagrams before counting
them toward the per-call packet budget, a connected QUIC peer can continuously
stream empty datagrams to indefinitely stall the client.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 07 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-835 | |
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Mon, 06 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-400 |
Mon, 06 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Mon, 06 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-400 |
Mon, 06 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-400 |
Sun, 05 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-400 |
Sun, 05 Jul 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-400 |
Sat, 04 Jul 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-400 |
Sat, 04 Jul 2026 01:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-400 |
Fri, 03 Jul 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-400 |
Fri, 03 Jul 2026 07:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Curl
Curl curl |
|
| Vendors & Products |
Curl
Curl curl |
Fri, 03 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client. | |
| Title | QUIC zero-length UDP datagrams busy-loop | |
| References |
|
Status: PUBLISHED
Assigner: curl
Published:
Updated: 2026-07-06T18:27:49.432Z
Reserved: 2026-06-05T11:23:43.389Z
Link: CVE-2026-11352
Updated: 2026-07-06T18:27:44.775Z
No data.
OpenCVE Enrichment
Updated: 2026-07-08T06:45:16Z