Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable HTTP/3 endpoint, no authentication or interaction, low complexity; memory exhaustion yields availability-only impact, so C:N/I:N/A:H.
Primary rating from Vendor (cloudflare).
CVSS VectorVendor: cloudflare
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Summary
Cloudflare quiche's HTTP/3 layer was discovered to be vulnerable to resource exhaustion (i.e., memory) by means of specially crafted HTTP/3 frames.
Impact
HTTP/3 defines multiple frame types to support HTTP message exchanges and connection management. Each frame has a length and a payload whose length depends on the frame type. quiche was found to be vulnerable when parsing some frame types to pre-allocating memory based on the declared length. An attacker would not need to send the number of declared bytes to trigger this issue.
In addition, quiche was found to not apply QPACK decompression limits correctly. This could allow an attacker to send specially crafted HEADERS frames that would cause more memory commitment than otherwise advertised by MAX_FIELD_SECTION_SIZE (configured by set_max_field_section_size()).
Mitigation:
*
Users are requested to upgrade to quiche 0.29.3 which is the earliest version containing the fix for this issue.
Credits: Disclosed responsibly by Sébastien Féry
AnalysisAI
Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC servers by sending specially crafted HTTP/3 frames that trigger over-allocation. Two distinct defects are involved: frame parsers pre-allocate buffers based on an attacker-declared length field without requiring the bytes to actually be sent, and QPACK decompression fails to enforce the configured MAX_FIELD_SECTION_SIZE limit, so crafted HEADERS frames commit far more memory than advertised. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target run a quiche version earlier than 0.29.3 with the HTTP/3 layer enabled and reachable over QUIC (UDP, typically port 443); no authentication, no user interaction, and no non-default configuration is needed, matching AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The available signals are internally consistent and point to a genuine denial-of-service risk rather than an inflated score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker opens a QUIC/HTTP/3 connection to an internet-facing service built on a vulnerable quiche version and sends frames that declare a very large length, or crafted HEADERS frames that decompress past the advertised field-section limit. The server pre-allocates or commits memory far beyond what the attacker actually transmits, and by repeating this across streams and connections the attacker drives the process into memory exhaustion, degrading or crashing the service. … |
| Remediation | Vendor-released patch: upgrade quiche to 0.29.3, the earliest release containing the fix for both the frame pre-allocation and the QPACK limit-enforcement defects, and rebuild/redeploy any downstream application that vendors quiche. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct asset inventory to identify all systems and services using Cloudflare quiche and document current deployed versions; enable detailed QUIC traffic logging and set baseline resource monitoring alerts on affected servers. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI fe
Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an
Denial of service in Cloudflare quiche (all versions before 0.29.3) allows a remote unauthenticated peer to exhaust serv
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing
Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to
Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retiremen
quiche v. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low
Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43748