CVE-2026-11352

EUVD-2026-41498
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server
to trigger a remote denial of service against a curl or libcurl client.
Because the helper function discards zero-length UDP datagrams before counting
them toward the per-call packet budget, a connected QUIC peer can continuously
stream empty datagrams to indefinitely stall the client.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
curlCNA
UNKNOWN
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
curlcurl
𝑥
≤ 8.20.0
CNA
curlcurl
𝑥
≤ 8.19.0
CNA
curlcurl
𝑥
≤ 8.18.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u14
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u16
fixed
forky
vulnerable
sid
8.21.0-2
fixed
trixie
8.14.1-2+deb13u3
fixed