GHSA-qxwx-hr5v-h5q4HighCVSS 7.5

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote...

Published
July 3, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

🔗 References (5)