Skip to main content

Cloudflare Quiche CVE-2026-11941

| EUVDEUVD-2026-38003 MEDIUM
Use After Free (CWE-416)
2026-06-19 cloudflare GHSA-mh64-ph39-mrc9
5.6
CVSS 3.1 · Vendor: cloudflare
Share

Severity by source

Vendor (cloudflare) PRIMARY
5.6 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
5.6 MEDIUM

AV:N because remote QUIC traffic triggers the vulnerable path; AC:H because the non-default FFI build flag is a concrete prerequisite; PR:N and UI:N since no authentication or user action is required.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (cloudflare).

CVSS VectorVendor: cloudflare

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 11:51 vuln.today

DescriptionCVE.org

Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions.

The “quiche_connection_id_iter_next” and “quiche_conn_retired_scid_next” functions would return a pointer to a “ConnectionId” to the applications via function arguments, but the owned “ConnectionId” would be dropped at the end of those functions' scope.

Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag.

Impact If unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling.

Mitigation Users are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue.

AnalysisAI

Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted QUIC connection or migration packets
Delivery
Application invokes vulnerable FFI iterator function
Exploit
Rust drops owned ConnectionId at function scope exit
Execution
Caller dereferences freed memory pointer
Impact
Process crash (DoS) or adjacent heap contents exposed via SCID handling

Vulnerability AssessmentAI

Exploitation Exploitation requires two mandatory, non-default prerequisites that must both be true simultaneously. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate and heavily gated by a mandatory non-default build prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote, unauthenticated attacker sends crafted QUIC packets - such as connection migration requests or packets that trigger SCID retirement - to a server application built on Cloudflare Quiche with the FFI feature flag enabled. As the application processes these packets, it calls one of the vulnerable FFI iterator functions, receives a pointer to an already-freed ConnectionId, and dereferences it, causing either an immediate process crash that terminates the QUIC service or, in a specific allocator state, returning adjacent heap contents through the connection identifier handling logic.
Remediation Vendor-released patch: quiche 0.29.2, confirmed by Cloudflare as the earliest version containing the fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11941 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy