QUIC zero-length UDP datagrams busy-loop
========================================

Project curl Security Advisory, June 24 2026
[Permalink](https://curl.se/docs/CVE-2026-11352.html)

VULNERABILITY
-------------

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server
to trigger a remote denial of service against a curl or libcurl client.
Because the helper function discards zero-length UDP datagrams before counting
them toward the per-call packet budget, a connected QUIC peer can continuously
stream empty datagrams to indefinitely stall the client.

INFO
----

This issue only triggers on platforms featuring the `recvmmsg()` function
call.

This bug is not considered a *C mistake* (not likely to have been avoided had
we not been using C).

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-11352 to this issue.

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.18.0 to and including 8.20.0
- Not affected versions: curl < 8.18.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/6a3d0b6d631d5e9bec7

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/56eca2afb4806f1032872fa9

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl and libcurl to version 8.21.0

 B - Apply the patch to your version and rebuild

 C - Avoid using HTTP/3

TIMELINE
---------

This issue was reported to the curl project on June 5, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: vectorqueue on hackerone (AntAISecurityLab)
- Patched-by: Stefan Eissing

Thanks a lot!