Vulnerability Details CVE-2026-11352
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server
to trigger a remote denial of service against a curl or libcurl client.
Because the helper function discards zero-length UDP datagrams before counting
them toward the per-call packet budget, a connected QUIC peer can continuously
stream empty datagrams to indefinitely stall the client.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 50.5%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-11352
-
cpe:2.3:a:haxx:curl:8.18.0