{"api_version":"1","generated_at":"2026-07-03T18:06:42+00:00","cve":"CVE-2026-11352","urls":{"html":"https://cve.report/CVE-2026-11352","api":"https://cve.report/api/cve/CVE-2026-11352.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-11352","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-11352"},"summary":{"title":"QUIC zero-length UDP datagrams busy-loop","description":"An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server\nto trigger a remote denial of service against a curl or libcurl client.\nBecause the helper function discards zero-length UDP datagrams before counting\nthem toward the per-call packet budget, a connected QUIC peer can continuously\nstream empty datagrams to indefinitely stall the client.","state":"PUBLISHED","assigner":"curl","published_at":"2026-07-03 07:16:23","updated_at":"2026-07-03 07:16:23"},"problem_types":["CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')"],"metrics":[],"references":[{"url":"https://curl.se/docs/CVE-2026-11352.html","name":"https://curl.se/docs/CVE-2026-11352.html","refsource":"2499f714-1537-4658-8207-48ae4bb9eae9","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://curl.se/docs/CVE-2026-11352.json","name":"https://curl.se/docs/CVE-2026-11352.json","refsource":"2499f714-1537-4658-8207-48ae4bb9eae9","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://hackerone.com/reports/3783438","name":"https://hackerone.com/reports/3783438","refsource":"2499f714-1537-4658-8207-48ae4bb9eae9","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-11352","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11352","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.20.0 8.20.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.19.0 8.19.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.18.0 8.18.0 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"vectorqueue on hackerone (AntAISecurityLab)","lang":"en"},{"source":"CNA","value":"Stefan Eissing","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"curl","vendor":"curl","versions":[{"lessThanOrEqual":"8.20.0","status":"affected","version":"8.20.0","versionType":"semver"},{"lessThanOrEqual":"8.19.0","status":"affected","version":"8.19.0","versionType":"semver"},{"lessThanOrEqual":"8.18.0","status":"affected","version":"8.18.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"vectorqueue on hackerone (AntAISecurityLab)"},{"lang":"en","type":"remediation developer","value":"Stefan Eissing"}],"descriptions":[{"lang":"en","value":"An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server\nto trigger a remote denial of service against a curl or libcurl client.\nBecause the helper function discards zero-length UDP datagrams before counting\nthem toward the per-call packet budget, a connected QUIC peer can continuously\nstream empty datagrams to indefinitely stall the client."}],"problemTypes":[{"descriptions":[{"description":"CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-07-03T06:12:10.777Z","orgId":"2499f714-1537-4658-8207-48ae4bb9eae9","shortName":"curl"},"references":[{"name":"json","url":"https://curl.se/docs/CVE-2026-11352.json"},{"name":"www","url":"https://curl.se/docs/CVE-2026-11352.html"},{"name":"issue","url":"https://hackerone.com/reports/3783438"}],"title":"QUIC zero-length UDP datagrams busy-loop"}},"cveMetadata":{"assignerOrgId":"2499f714-1537-4658-8207-48ae4bb9eae9","assignerShortName":"curl","cveId":"CVE-2026-11352","datePublished":"2026-07-03T06:12:10.777Z","dateReserved":"2026-06-05T11:23:43.389Z","dateUpdated":"2026-07-03T06:12:10.777Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-03 07:16:23","lastModifiedDate":"2026-07-03 07:16:23","problem_types":["CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"11352","Ordinal":"1","Title":"QUIC zero-length UDP datagrams busy-loop","CVE":"CVE-2026-11352","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"11352","Ordinal":"1","NoteData":"An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server\nto trigger a remote denial of service against a curl or libcurl client.\nBecause the helper function discards zero-length UDP datagrams before counting\nthem toward the per-call packet budget, a connected QUIC peer can continuously\nstream empty datagrams to indefinitely stall the client.","Type":"Description","Title":"QUIC zero-length UDP datagrams busy-loop"}]}}}