Remote denial of service via QUIC UDP receive function vulnerability
Summary
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client. A flaw was found in curl and libcurl. A malicious HTTP/3 server can exploit an issue in the QUIC UDP receive function by continuously streaming empty UDP datagrams. This can lead to a remote denial of service (DoS) against a curl or libcurl client, as the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, causing the client to indefinitely stall. This Important flaw in curl and libcurl allows a remote malicious HTTP/3 server to trigger a denial of service against a client. By continuously sending zero-length UDP datagrams, an attacker can indefinitely stall the client, impacting service availability without requiring authentication or user interaction. This poses a significant risk to applications relying on curl for HTTP/3 communication. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-835. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 23 seconds ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.