Description
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
References (3)
Core 3
Core References
Scores
CVSS v3
7.5
EPSS
0.0101
EPSS Percentile
59.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-835
Status
published
Products (4)
curl/curl
8.18.0
curl/curl
8.19.0
curl/curl
8.20.0
haxx/curl
8.18.0 - 8.21.0
Published
Jul 03, 2026
Tracked Since
Jul 03, 2026