Skip to main content

Cloudflare quiche CVE-2026-12707

| EUVDEUVD-2026-43716 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-14 cloudflare
7.5
CVSS 3.1 · Vendor: cloudflare
Share

Severity by source

Vendor (cloudflare) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, low-complexity, unauthenticated post-handshake migration flood; availability-only impact with no confidentiality or integrity effect, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cloudflare).

CVSS VectorVendor: cloudflare

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 18:20 EUVD
Analysis Generated
Jul 14, 2026 - 16:06 vuln.today
CVE Published
Jul 14, 2026 - 15:18 cve.org
HIGH 7.5

DescriptionCVE.org

Summary

Cloudflare quiche was discovered to be vulnerable to memory resource exhaustion due to unbounded queuing of post-handshake client migration events.

Impact

quiche supports the connection migration features described in Section 9 of RFC 9000, which allows a single QUIC connection to survive changes in the network path. Although quiche implements the protections described in Section 9.3 of RFC 9000 to limit server state commitment, it was discovered that the collection of PathEvents, intended to be consumed by applications via the path_event_next() function, was not bounded.

Once the QUIC handshake completed, a peer could exploit rapid source address migration in order to cause unbounded queuing of the PathEvent::ReusedSourceConnectionId type. Servers are vulnerable even if active connection migration is disabled.

Mitigation:

*

Applications can call path_event_next() to drain the PathEvent collection, mitigating the attack.

*

Users are requested to upgrade to quiche 0.29.3 which is the earliest version that prevents excessive queueing of PathEvent::ReusedSourceConnectionId.

AnalysisAI

Denial of service in Cloudflare quiche (all versions before 0.29.3) allows a remote unauthenticated peer to exhaust server memory by triggering rapid post-handshake source address migration, causing unbounded queuing of PathEvent::ReusedSourceConnectionId entries in the internal PathEvents collection. Because the queue grows without limit whenever an application does not drain it via path_event_next(), an attacker can force high memory consumption and crash or degrade the server; notably, servers remain vulnerable even when active connection migration is disabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Complete QUIC handshake with quiche server
Delivery
Rapidly change UDP source address
Exploit
Generate ReusedSourceConnectionId path events
Execution
Events queue unbounded (undrained)
Impact
Server memory exhausted, service denied

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker first complete a QUIC handshake with the quiche server, then perform rapid post-handshake source address migration to generate a stream of PathEvent::ReusedSourceConnectionId events. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (base 7.5, HIGH) is internally consistent with the description: network reachable, low complexity, no privileges or user interaction, availability-only impact - a classic remote unauthenticated DoS with no confidentiality or integrity effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker completes a normal QUIC handshake with an internet-facing quiche-based server, then rapidly changes its UDP source address in a loop, causing the server to enqueue a flood of PathEvent::ReusedSourceConnectionId events. If the embedding application does not drain these via path_event_next() fast enough, server memory grows without bound until the process is OOM-killed or the host degrades. …
Remediation Vendor-released patch: quiche 0.29.3, which is the earliest version that prevents excessive queuing of PathEvent::ReusedSourceConnectionId; upgrade the quiche dependency to 0.29.3 or later and rebuild/redeploy affected services, per the advisory at https://github.com/cloudflare/quiche/security/advisories/GHSA-4q5x-gp38-rfp4. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running Cloudflare quiche to identify version numbers and exposure; consult Cloudflare documentation and internal architecture records to map vulnerable deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy