PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11352 curl CVE debrief

CVE-2026-11352 is a remote denial of service vulnerability in curl’s QUIC UDP receive function. A malicious HTTP/3 server can trigger this vulnerability against a curl or libcurl client by continuously streaming empty datagrams to indefinitely stall the client. This issue affects users of curl or libcurl clients, particularly those using version 8.18.0 up to but not including 8.21.0.

Vendor
curl
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Users of curl or libcurl clients, particularly those using version 8.18.0 up to but not including 8.21.0, should be aware of this vulnerability and take steps to defend against it. This includes operators, platform administrators, vulnerability management teams, and security teams.

Technical summary

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client. The affected product is curl or libcurl clients using version 8.18.0 up to but not including 8.21.0.

Defensive priority

High

Recommended defensive actions

  • Inventory and verify affected curl or libcurl client versions
  • Apply patches or updates from the vendor
  • Monitor for suspicious UDP traffic
  • Implement compensating controls to limit exposure
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-03T07:16:23.693Z and was last modified on 2026-07-07T18:01:19.013Z. The NVD entry is currently Analyzed. This information is based on the NVD entry and CVE record. Defenders should verify the affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T07:16:23.693Z and has not been modified since then. The NVD entry is currently Analyzed.