CVE-2026-11352
curl · curl
A flaw in the QUIC UDP receive function of curl allows a malicious HTTP/3 server to trigger a remote denial of service by causing an infinite loop.
Executive summary
A high-severity denial-of-service vulnerability in curl's HTTP/3 implementation could allow a remote attacker to crash client applications.
Vulnerability
The vulnerability exists in the QUIC UDP receive function (CWE-835), where zero-length datagrams are improperly discarded, leading to an infinite loop in the packet processing logic. This requires no authentication and can be triggered by a malicious remote HTTP/3 server.
Business impact
An attacker can force the client application into an infinite loop, resulting in a denial-of-service condition that consumes system resources and renders the application unresponsive. Given the CVSS score of 7.5, this poses a substantial risk to service availability for applications relying on libcurl for high-performance HTTP/3 communication.
Remediation
Immediate Action: Update to the latest version of curl/libcurl once the vendor releases a patch; if HTTP/3 is not required, consider disabling it as a temporary measure.
Proactive Monitoring: Monitor for application crashes or high CPU utilization in services utilizing libcurl to communicate with external HTTP/3 endpoints.
Compensating Controls: Deploy network-level traffic inspection to identify and block malformed QUIC UDP datagrams if immediate patching is not feasible.
Exploitation status
Public Exploit Available: No (unknown)
Analyst recommendation
Availability is a core pillar of security. Organizations should monitor for vendor updates and apply the necessary patches to libcurl to prevent service disruption caused by this infinite loop condition.