CVE-2026-34183
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames.
Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service.
A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenSSL | OpenSSL | 4.0.0 < 4.0.1 | affected |
| OpenSSL | OpenSSL | 3.6.0 < 3.6.3 | affected |
| OpenSSL | OpenSSL | 3.5.0 < 3.5.7 | affected |
| OpenSSL | OpenSSL | 3.4.0 < 3.4.6 | affected |
Weaknesses
- CWE-1325: CWE-1325 Improperly Controlled Sequential Memory Allocation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://openssl-library.org/news/secadv/20260609.txt
- https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb
- https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517
- https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac
- https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.