Skip to main content

Cloudflare quiche CVE-2026-12523

| EUVDEUVD-2026-43748 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-07-14 cloudflare
7.5
CVSS 3.1 · Vendor: cloudflare
Share

Severity by source

Vendor (cloudflare) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable HTTP/3 endpoint, no authentication or interaction, low complexity; memory exhaustion yields availability-only impact, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cloudflare).

CVSS VectorVendor: cloudflare

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 18:20 EUVD
Analysis Generated
Jul 14, 2026 - 16:32 vuln.today
CVE Published
Jul 14, 2026 - 15:51 cve.org
HIGH 7.5

DescriptionCVE.org

Summary

Cloudflare quiche's HTTP/3 layer was discovered to be vulnerable to resource exhaustion (i.e., memory) by means of specially crafted HTTP/3 frames.

Impact

HTTP/3 defines multiple frame types to support HTTP message exchanges and connection management. Each frame has a length and a payload whose length depends on the frame type. quiche was found to be vulnerable when parsing some frame types to pre-allocating memory based on the declared length. An attacker would not need to send the number of declared bytes to trigger this issue.

In addition, quiche was found to not apply QPACK decompression limits correctly. This could allow an attacker to send specially crafted HEADERS frames that would cause more memory commitment than otherwise advertised by MAX_FIELD_SECTION_SIZE (configured by set_max_field_section_size()).

Mitigation:

*

Users are requested to upgrade to quiche 0.29.3 which is the earliest version containing the fix for this issue.

Credits: Disclosed responsibly by Sébastien Féry

AnalysisAI

Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC servers by sending specially crafted HTTP/3 frames that trigger over-allocation. Two distinct defects are involved: frame parsers pre-allocate buffers based on an attacker-declared length field without requiring the bytes to actually be sent, and QPACK decompression fails to enforce the configured MAX_FIELD_SECTION_SIZE limit, so crafted HEADERS frames commit far more memory than advertised. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open QUIC/HTTP3 connection to server
Delivery
Send frame with inflated declared length or crafted HEADERS
Exploit
Server pre-allocates or over-commits memory past MAX_FIELD_SECTION_SIZE
Execution
Repeat across streams and connections
Impact
Memory exhaustion crashes or degrades service

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target run a quiche version earlier than 0.29.3 with the HTTP/3 layer enabled and reachable over QUIC (UDP, typically port 443); no authentication, no user interaction, and no non-default configuration is needed, matching AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The available signals are internally consistent and point to a genuine denial-of-service risk rather than an inflated score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker opens a QUIC/HTTP/3 connection to an internet-facing service built on a vulnerable quiche version and sends frames that declare a very large length, or crafted HEADERS frames that decompress past the advertised field-section limit. The server pre-allocates or commits memory far beyond what the attacker actually transmits, and by repeating this across streams and connections the attacker drives the process into memory exhaustion, degrading or crashing the service. …
Remediation Vendor-released patch: upgrade quiche to 0.29.3, the earliest release containing the fix for both the frame pre-allocation and the QPACK limit-enforcement defects, and rebuild/redeploy any downstream application that vendors quiche. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct asset inventory to identify all systems and services using Cloudflare quiche and document current deployed versions; enable detailed QUIC traffic logging and set baseline resource monitoring alerts on affected servers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy