Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
AV:N because remote QUIC traffic triggers the vulnerable path; AC:H because the non-default FFI build flag is a concrete prerequisite; PR:N and UI:N since no authentication or user action is required.
Primary rating from Vendor (cloudflare).
CVSS VectorVendor: cloudflare
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions.
The “quiche_connection_id_iter_next” and “quiche_conn_retired_scid_next” functions would return a pointer to a “ConnectionId” to the applications via function arguments, but the owned “ConnectionId” would be dropped at the end of those functions' scope.
Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag.
Impact If unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling.
Mitigation Users are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue.
AnalysisAI
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two mandatory, non-default prerequisites that must both be true simultaneously. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate and heavily gated by a mandatory non-default build prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote, unauthenticated attacker sends crafted QUIC packets - such as connection migration requests or packets that trigger SCID retirement - to a server application built on Cloudflare Quiche with the FFI feature flag enabled. As the application processes these packets, it calls one of the vulnerable FFI iterator functions, receives a pointer to an already-freed ConnectionId, and dereferences it, causing either an immediate process crash that terminates the QUIC service or, in a specific allocator state, returning adjacent heap contents through the connection identifier handling logic. |
| Remediation | Vendor-released patch: quiche 0.29.2, confirmed by Cloudflare as the earliest version containing the fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an
Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC s
Denial of service in Cloudflare quiche (all versions before 0.29.3) allows a remote unauthenticated peer to exhaust serv
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing
Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to
Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retiremen
quiche v. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low
Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38003
GHSA-mh64-ph39-mrc9