Skip to main content

curl CVE-2026-11352

| EUVDEUVD-2026-41498 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
7.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 HIGH

Network QUIC transport with trivial empty-datagram trigger (AV:N/AC:L), no server-side auth (PR:N); availability-only livelock (A:H), no confidentiality/integrity impact, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 06, 2026 - 21:51 vuln.today
v7 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:50 vuln.today
v6 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:49 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:49 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:48 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 19:22 NVD
7.5 (HIGH)
Analysis Generated
Jun 24, 2026 - 18:29 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Remote denial of service in curl and libcurl (versions 8.18.0 through 8.20.0) lets a malicious or compromised HTTP/3 server indefinitely stall a connecting client. The flaw lives in curl's QUIC UDP receive path, where zero-length UDP datagrams are discarded before they are counted against the per-call packet budget, so a peer that streams a continuous flood of empty datagrams keeps the receive loop spinning without ever making progress. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure curl HTTP/3 client to malicious server
Delivery
Establish QUIC connection over UDP
Exploit
Stream continuous zero-length datagrams
Execution
Empty packets skip per-call budget count
Persist
Receive loop livelocks indefinitely
Impact
Client hangs (denial of service)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the curl/libcurl client is built with HTTP/3 support and actually uses the HTTP/3 (QUIC over UDP) protocol for the connection - the bug is in the QUIC UDP receive function and does not affect HTTP/1.1 or HTTP/2 traffic. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The available signals are consistent and point to a real-but-moderate priority rather than an emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up (or compromises) an HTTP/3 server and lures a curl/libcurl HTTP/3 client to connect - for example an automated fetcher, updater, or backend service that retrieves URLs over QUIC. Once the QUIC session is established, the malicious server streams a continuous flood of zero-length UDP datagrams, which are discarded before counting toward the client's per-call receive budget, causing the client's receive loop to livelock and hang indefinitely. …
Remediation No vendor-released patch version is identified in the provided data; the curl advisory at https://curl.se/docs/CVE-2026-11352.html is the authoritative source for the exact fixed release (curl's practice is to fix in the next tagged release above the affected line, but the specific version is not confirmed from the input and should not be assumed). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems and applications using curl/libcurl 8.18.0-8.20.0, including development, testing, and production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Curl

View all
CVE-2013-0249 HIGH POC
7.5 Mar 08

Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7

CVE-2015-3145 HIGH
7.5 Apr 24

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which

CVE-2022-32221 CRITICAL POC
9.8 Dec 05

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t

CVE-2022-32207 CRITICAL POC
9.8 Jul 07

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the

CVE-2018-0500 CRITICAL POC
9.8 Jul 11

Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that mig

CVE-2023-23914 CRITICAL POC
9.1 Feb 23

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functional

CVE-2023-27534 HIGH POC
8.8 Mar 30

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly re

CVE-2023-27533 HIGH POC
8.8 Mar 30

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an atta

CVE-2025-0665 HIGH POC
7.0 Feb 05

A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, cau

CVE-2022-27778 HIGH POC
8.1 Jun 02

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used

CVE-2021-22901 HIGH POC
8.1 Jun 11

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when

CVE-2020-8177 HIGH POC
7.8 Dec 14

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead to

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP6-CHOST-BYOS Not-Affected
SLES15-SP6-CHOST-BYOS-Aliyun Not-Affected
SLES15-SP6-CHOST-BYOS-Azure Not-Affected
SLES15-SP6-CHOST-BYOS-EC2 Not-Affected

Share

CVE-2026-11352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy