Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (AMZN).
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets.
To remediate this issue, users should upgrade to v1.8.2.
AnalysisAI
Unbounded memory allocation in the CRYPTO frame reassembler of AWS s2n-quic (all versions before v1.82.0) enables unauthenticated remote actors to degrade service availability by sending crafted QUIC Initial packets. Because QUIC Initial packets are processed prior to handshake completion, no session establishment or authentication is required to trigger the condition. No public exploit code or active exploitation has been identified at time of analysis, but the low-complexity, zero-authentication attack path makes this straightforwardly reachable on any exposed s2n-quic endpoint.
Technical ContextAI
s2n-quic (CPE: cpe:2.3:a:aws:s2n-quic:*:*:*:*:*:*:*:*) is Amazon Web Services' Rust-based implementation of the QUIC transport protocol. QUIC Initial packets carry CRYPTO frames, which transport TLS handshake data and are processed by a frame reassembler before a connection is established. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): the reassembler does not enforce an upper bound on memory allocated during CRYPTO frame reassembly, meaning an attacker can craft packets that drive unbounded heap growth. Because Initial packets require no prior state or credentials, every reachable s2n-quic listener is an attack surface. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VA:L) confirms network reachability, low complexity, and no prerequisite conditions.
RemediationAI
Upgrade s2n-quic to v1.82.0, which includes the fix for excessive memory allocation in the CRYPTO frame reassembler as confirmed by the release notes and security advisory GHSA-9q54-f358-3fqf (https://github.com/aws/s2n-quic/security/advisories/GHSA-9q54-f358-3fqf). The AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-042-aws/ provides the official vendor guidance. If an immediate upgrade is not feasible, consider rate-limiting or blocking inbound QUIC Initial packets at the network perimeter or load balancer layer - this prevents exploitation but also disables QUIC-based connectivity entirely, which may impact latency-sensitive applications that depend on QUIC. Restricting QUIC listener exposure to trusted network segments is a viable partial control where full public exposure is not required. No in-library workaround or configuration knob to disable CRYPTO frame reassembly is identified in the available data.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36103