7.5
CVE-2026-11352
- EPSS 1.01%
- Veröffentlicht 03.07.2026 06:12:10
- Zuletzt bearbeitet 07.07.2026 18:01:19
- Quelle 2499f714-1537-4658-8207-48ae4b
- CVE-Watchlists
- Unerledigt
QUIC zero-length UDP datagrams busy-loop
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.01% | 0.59 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
https://hackerone.com/reports/3783438
https://curl.se/docs/CVE-2026-11352.html
https://curl.se/docs/CVE-2026-11352.json