CVE-2026-11352

QUIC zero-length UDP datagrams busy-loop

Project curl Security Advisory, June 24 2026 Permalink

VULNERABILITY

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

INFO

This issue only triggers on platforms featuring the recvmmsg() function call.

This bug is not considered a C mistake (not likely to have been avoided had we not been using C).

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-11352 to this issue.

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Severity: Low

AFFECTED VERSIONS

• Affected versions: curl 8.18.0 to and including 8.20.0
• Not affected versions: curl < 8.18.0 and >= 8.21.0
• Introduced-in: https://github.com/curl/curl/commit/6a3d0b6d631d5e9bec7

libcurl is used by many applications, but not always advertised as such!

SOLUTION

• Fixed-in: https://github.com/curl/curl/commit/56eca2afb4806f1032872fa9

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 8.21.0

B - Apply the patch to your version and rebuild

C - Avoid using HTTP/3

TIMELINE

This issue was reported to the curl project on June 5, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.

CREDITS

• Reported-by: vectorqueue on hackerone (AntAISecurityLab)
• Patched-by: Stefan Eissing

Thanks a lot!