CVE-2026-11352

curl · curl

A flaw in the QUIC UDP receive function of curl allows a malicious HTTP/3 server to trigger a remote denial of service by causing an infinite loop.

Executive summary

A high-severity denial-of-service vulnerability in curl's HTTP/3 implementation could allow a remote attacker to crash client applications.

Vulnerability

The vulnerability exists in the QUIC UDP receive function (CWE-835), where zero-length datagrams are improperly discarded, leading to an infinite loop in the packet processing logic. This requires no authentication and can be triggered by a malicious remote HTTP/3 server.

Business impact

An attacker can force the client application into an infinite loop, resulting in a denial-of-service condition that consumes system resources and renders the application unresponsive. Given the CVSS score of 7.5, this poses a substantial risk to service availability for applications relying on libcurl for high-performance HTTP/3 communication.

Remediation

Immediate Action: Update to the latest version of curl/libcurl once the vendor releases a patch; if HTTP/3 is not required, consider disabling it as a temporary measure.

Proactive Monitoring: Monitor for application crashes or high CPU utilization in services utilizing libcurl to communicate with external HTTP/3 endpoints.

Compensating Controls: Deploy network-level traffic inspection to identify and block malformed QUIC UDP datagrams if immediate patching is not feasible.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Availability is a core pillar of security. Organizations should monitor for vendor updates and apply the necessary patches to libcurl to prevent service disruption caused by this infinite loop condition.