An issue in curl’s QUIC UDP receive function allows a...
High severity
Unreviewed
Published
Jul 3, 2026
to the GitHub Advisory Database
•
Updated Jul 7, 2026
Description
Published by the National Vulnerability Database
Jul 3, 2026
Published to the GitHub Advisory Database
Jul 3, 2026
Last updated
Jul 7, 2026
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server
to trigger a remote denial of service against a curl or libcurl client.
Because the helper function discards zero-length UDP datagrams before counting
them toward the per-call packet budget, a connected QUIC peer can continuously
stream empty datagrams to indefinitely stall the client.
References