Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote, low-complexity, unauthenticated post-handshake migration flood; availability-only impact with no confidentiality or integrity effect, so C:N/I:N/A:H.
Primary rating from Vendor (cloudflare).
CVSS VectorVendor: cloudflare
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Summary
Cloudflare quiche was discovered to be vulnerable to memory resource exhaustion due to unbounded queuing of post-handshake client migration events.
Impact
quiche supports the connection migration features described in Section 9 of RFC 9000, which allows a single QUIC connection to survive changes in the network path. Although quiche implements the protections described in Section 9.3 of RFC 9000 to limit server state commitment, it was discovered that the collection of PathEvents, intended to be consumed by applications via the path_event_next() function, was not bounded.
Once the QUIC handshake completed, a peer could exploit rapid source address migration in order to cause unbounded queuing of the PathEvent::ReusedSourceConnectionId type. Servers are vulnerable even if active connection migration is disabled.
Mitigation:
*
Applications can call path_event_next() to drain the PathEvent collection, mitigating the attack.
*
Users are requested to upgrade to quiche 0.29.3 which is the earliest version that prevents excessive queueing of PathEvent::ReusedSourceConnectionId.
AnalysisAI
Denial of service in Cloudflare quiche (all versions before 0.29.3) allows a remote unauthenticated peer to exhaust server memory by triggering rapid post-handshake source address migration, causing unbounded queuing of PathEvent::ReusedSourceConnectionId entries in the internal PathEvents collection. Because the queue grows without limit whenever an application does not drain it via path_event_next(), an attacker can force high memory consumption and crash or degrade the server; notably, servers remain vulnerable even when active connection migration is disabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker first complete a QUIC handshake with the quiche server, then perform rapid post-handshake source address migration to generate a stream of PathEvent::ReusedSourceConnectionId events. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (base 7.5, HIGH) is internally consistent with the description: network reachable, low complexity, no privileges or user interaction, availability-only impact - a classic remote unauthenticated DoS with no confidentiality or integrity effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker completes a normal QUIC handshake with an internet-facing quiche-based server, then rapidly changes its UDP source address in a loop, causing the server to enqueue a flood of PathEvent::ReusedSourceConnectionId events. If the embedding application does not drain these via path_event_next() fast enough, server memory grows without bound until the process is OOM-killed or the host degrades. … |
| Remediation | Vendor-released patch: quiche 0.29.3, which is the earliest version that prevents excessive queuing of PathEvent::ReusedSourceConnectionId; upgrade the quiche dependency to 0.29.3 or later and rebuild/redeploy affected services, per the advisory at https://github.com/cloudflare/quiche/security/advisories/GHSA-4q5x-gp38-rfp4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running Cloudflare quiche to identify version numbers and exposure; consult Cloudflare documentation and internal architecture records to map vulnerable deployments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI fe
Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an
Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC s
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing
Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to
Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retiremen
quiche v. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low
Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43716