Skip to main content

Quicly CVE-2026-44434

MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-07-16 GitHub_M
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

On-path network positioning is a specialized prerequisite that raises AC to H; no privileges or user interaction required; impact is limited to connection availability.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 16, 2026 - 23:21 vuln.today

DescriptionCVE.org

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit dccf5d4, Quicly was vulnerable to stateless reset injection through lack of packet entry validation. The QUIC protocol is designed to withstand packet injection attacks, once the handshake is complete. Only packets that carry some secret patterns are considered as stateless resets. Quicly allows the peer to share up to 4 such patterns per connection. However, until now, it failed to determine which of the 4 slots that it uses to retain the secret patterns contains a valid entry. As the slots are zero-initialized, the failure meant that, unless the peer advertised 4 of such patterns, an all-zero pattern was treated as a stateless reset.In effect, this allowed an on-path attacker to reset QUIC connections governed by Quicly. This issue has been fixed by commit dccf5d4.

AnalysisAI

Stateless reset injection in Quicly, the IETF QUIC implementation embedded in the H2O HTTP server, allows an on-path network attacker to abruptly terminate any active QUIC connection by sending an all-zero packet. The root cause is that Quicly zero-initializes its four stateless reset token slots but never validates which slots hold legitimate peer-advertised tokens, causing the all-zero default to be accepted as a valid reset signal whenever the peer has advertised fewer than four tokens. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain on-path UDP injection position
Delivery
Observe active Quicly QUIC connection
Exploit
Craft all-zero stateless reset packet
Execution
Inject packet into connection
Persist
Quicly accepts forged reset token
Impact
QUIC connection forcibly terminated

Vulnerability AssessmentAI

Exploitation The attacker must occupy an on-path (man-in-the-middle) network position capable of injecting UDP packets between the Quicly client and server - this is the primary prerequisite and the most significant limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) overstates accessibility by labeling attack complexity Low, because the attack fundamentally requires on-path network positioning - a meaningfully elevated prerequisite not reflected in AC:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with on-path access between a client and an H2O server - for example, a malicious ISP node, a compromised router, or a network tap - monitors QUIC traffic to identify active connections governed by Quicly. The attacker crafts and injects a UDP packet containing an all-zero stateless reset token; because Quicly treats uninitialised token slots as valid, the receiving endpoint accepts the forged reset and immediately terminates the connection. …
Remediation The upstream fix is available via commit dccf5d4579c7ae9dd6e8f90c36d52e311bb60710 in the h2o/quicly repository (https://github.com/h2o/quicly/commit/dccf5d4579c7ae9dd6e8f90c36d52e311bb60710); no separately tagged patched release version has been confirmed at time of analysis, so operators should update to a revision at or after this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy