Quicly
CVE-2026-44433
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Memory exhaustion reachable via minimal packets justifies A:H over the vendor-assigned A:L; all other metrics reflect unauthenticated QUIC protocol access with no confidentiality or integrity impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, an adversarial peer could send a STREAM frame carrying just one byte at the largest offset being permitted to obtain additional flow control credit, which under certain circumstances could lead to a Denial of Service. Assuming the application prepares a receive buffer for storing all data that arrive out-of-order, up to the largest offset being received, this behavior could lead to the application allocating large amount of memory with the peer sending only a handful of packets, resulting in memory exhaustion. In addition to the receive buffer allocation strategy, the severity of this vulnerability depends on how the application controls the stream concurrency. In case of the H2O HTTP server, under its default setting, this bug increases the maximum amount of memory allocated per connection by about 4 times. This issue has been fixed by commit 8b178e6.
AnalysisAI
Memory exhaustion via crafted QUIC STREAM frames in Quicly (all versions prior to commit 8b178e6) allows an unauthenticated remote peer to cause disproportionate server memory allocation using only a handful of packets. By sending a single-byte STREAM frame positioned at the maximum permitted flow control offset, an adversary tricks the library into granting undeserved additional flow control credit, causing the receiver to pre-allocate a receive buffer spanning the full permitted offset range. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a network-reachable Quicly endpoint running a version prior to commit 8b178e6, where the host application pre-allocates receive buffers up to the largest received data offset - a condition present in H2O's default configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 5.3 (Medium) with A:L appears to understate availability risk given the description explicitly cites memory exhaustion achievable via 'a handful of packets' - characteristic of A:H impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An adversary establishes one or more QUIC connections to a target H2O server running a vulnerable Quicly build and sends STREAM frames each carrying a single byte at the current maximum flow control offset across multiple concurrent streams. The server pre-allocates oversized receive buffers for each stream in response, consuming memory far in excess of the actual data volume transmitted. … |
| Remediation | The upstream fix is available as commit 8b178e692c51a3b1031612ef89f03a53aac63c15 in the Quicly repository at https://github.com/h2o/quicly/commit/8b178e692c51a3b1031612ef89f03a53aac63c15; no tagged release version incorporating this fix has been independently confirmed from available data - operators should build from a revision at or after this commit. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a
Denial of service in Quicly, the QUIC protocol library embedded in the H2O HTTP server, allows remote attackers to corru
Remote denial of service in quicly, the IETF QUIC implementation used by the H2O HTTP server, allows unauthenticated att
Quicly is an IETF QUIC protocol implementation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
Stateless reset injection in Quicly, the IETF QUIC implementation embedded in the H2O HTTP server, allows an on-path net
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today