CVE-2026-11352
ADVISORY - debianSummary
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
- curl 8.21.0~rc2-1 [trixie] - curl (Vulnerable code not present) [bookworm] - curl (Vulnerable code not present) [bullseye] - curl (Vulnerable code not present) https://curl.se/docs/CVE-2026-11352.html Introduced with: https://github.com/curl/curl/commit/6a3d0b6d631d5e9bec797306b5b41a9f440a088d (curl-8_18_0) Fixed by: https://github.com/curl/curl/commit/56eca2afb4806f1032872fa97d1834b3c1385276 (rc-8_21_0-2, curl-8_21_0)
EPSS Score: 0.00756 (0.507)
Common Weakness Enumeration (CWE)
Alpine
CREATED
UPDATED
ADVISORY IDCVE-2026-11352
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Debian
CREATED
UPDATED
ADVISORY IDCVE-2026-11352
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AlowUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-11352
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/Alowminimos
CREATED
UPDATED
ADVISORY ID
MINI-2gg7-7rv8-6535
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-f4cx-fqj3-m8j3
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-