CVE Vulnerabilities

CVE-2026-11352

Loop with Unreachable Exit Condition ('Infinite Loop')

Published: Jul 03, 2026 | Modified: Jul 07, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
LOW
root.io logo minimus.io logo echo.ai logo

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

Weakness

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Software

NameVendorStart VersionEnd Version
CurlHaxx8.18.0 (including)8.21.0 (excluding)
Red Hat Hardened ImagesRedHatcurl-main-8.21.0-0.1.hum1*
Red Hat Hardened ImagesRedHatrust-main-1.96.1-1.hum1*
CurlUbuntudevel*
CurlUbunturesolute*
CurlUbuntuupstream*

References