Skip to main content

Quicly CVE-2026-44433

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-16 GitHub_M
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
7.5 HIGH

Memory exhaustion reachable via minimal packets justifies A:H over the vendor-assigned A:L; all other metrics reflect unauthenticated QUIC protocol access with no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 16, 2026 - 22:46 vuln.today

DescriptionCVE.org

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, an adversarial peer could send a STREAM frame carrying just one byte at the largest offset being permitted to obtain additional flow control credit, which under certain circumstances could lead to a Denial of Service. Assuming the application prepares a receive buffer for storing all data that arrive out-of-order, up to the largest offset being received, this behavior could lead to the application allocating large amount of memory with the peer sending only a handful of packets, resulting in memory exhaustion. In addition to the receive buffer allocation strategy, the severity of this vulnerability depends on how the application controls the stream concurrency. In case of the H2O HTTP server, under its default setting, this bug increases the maximum amount of memory allocated per connection by about 4 times. This issue has been fixed by commit 8b178e6.

AnalysisAI

Memory exhaustion via crafted QUIC STREAM frames in Quicly (all versions prior to commit 8b178e6) allows an unauthenticated remote peer to cause disproportionate server memory allocation using only a handful of packets. By sending a single-byte STREAM frame positioned at the maximum permitted flow control offset, an adversary tricks the library into granting undeserved additional flow control credit, causing the receiver to pre-allocate a receive buffer spanning the full permitted offset range. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Establish QUIC connection to target
Delivery
Send STREAM frame with 1 byte at maximum flow control offset
Exploit
Quicly grants undeserved additional flow control credit
Install
Server pre-allocates oversized receive buffer per stream
C2
Repeat across concurrent streams and connections
Execute
Exhaust server memory
Impact
Denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires a network-reachable Quicly endpoint running a version prior to commit 8b178e6, where the host application pre-allocates receive buffers up to the largest received data offset - a condition present in H2O's default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 5.3 (Medium) with A:L appears to understate availability risk given the description explicitly cites memory exhaustion achievable via 'a handful of packets' - characteristic of A:H impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An adversary establishes one or more QUIC connections to a target H2O server running a vulnerable Quicly build and sends STREAM frames each carrying a single byte at the current maximum flow control offset across multiple concurrent streams. The server pre-allocates oversized receive buffers for each stream in response, consuming memory far in excess of the actual data volume transmitted. …
Remediation The upstream fix is available as commit 8b178e692c51a3b1031612ef89f03a53aac63c15 in the Quicly repository at https://github.com/h2o/quicly/commit/8b178e692c51a3b1031612ef89f03a53aac63c15; no tagged release version incorporating this fix has been independently confirmed from available data - operators should build from a revision at or after this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy