Quicly
CVE-2026-44434
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
On-path network positioning is a specialized prerequisite that raises AC to H; no privileges or user interaction required; impact is limited to connection availability.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit dccf5d4, Quicly was vulnerable to stateless reset injection through lack of packet entry validation. The QUIC protocol is designed to withstand packet injection attacks, once the handshake is complete. Only packets that carry some secret patterns are considered as stateless resets. Quicly allows the peer to share up to 4 such patterns per connection. However, until now, it failed to determine which of the 4 slots that it uses to retain the secret patterns contains a valid entry. As the slots are zero-initialized, the failure meant that, unless the peer advertised 4 of such patterns, an all-zero pattern was treated as a stateless reset.In effect, this allowed an on-path attacker to reset QUIC connections governed by Quicly. This issue has been fixed by commit dccf5d4.
AnalysisAI
Stateless reset injection in Quicly, the IETF QUIC implementation embedded in the H2O HTTP server, allows an on-path network attacker to abruptly terminate any active QUIC connection by sending an all-zero packet. The root cause is that Quicly zero-initializes its four stateless reset token slots but never validates which slots hold legitimate peer-advertised tokens, causing the all-zero default to be accepted as a valid reset signal whenever the peer has advertised fewer than four tokens. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must occupy an on-path (man-in-the-middle) network position capable of injecting UDP packets between the Quicly client and server - this is the primary prerequisite and the most significant limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) overstates accessibility by labeling attack complexity Low, because the attack fundamentally requires on-path network positioning - a meaningfully elevated prerequisite not reflected in AC:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with on-path access between a client and an H2O server - for example, a malicious ISP node, a compromised router, or a network tap - monitors QUIC traffic to identify active connections governed by Quicly. The attacker crafts and injects a UDP packet containing an all-zero stateless reset token; because Quicly treats uninitialised token slots as valid, the receiving endpoint accepts the forged reset and immediately terminates the connection. … |
| Remediation | The upstream fix is available via commit dccf5d4579c7ae9dd6e8f90c36d52e311bb60710 in the h2o/quicly repository (https://github.com/h2o/quicly/commit/dccf5d4579c7ae9dd6e8f90c36d52e311bb60710); no separately tagged patched release version has been confirmed at time of analysis, so operators should update to a revision at or after this commit. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a
Denial of service in Quicly, the QUIC protocol library embedded in the H2O HTTP server, allows remote attackers to corru
Remote denial of service in quicly, the IETF QUIC implementation used by the H2O HTTP server, allows unauthenticated att
Quicly is an IETF QUIC protocol implementation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
Memory exhaustion via crafted QUIC STREAM frames in Quicly (all versions prior to commit 8b178e6) allows an unauthentica
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today