quicly
CVE-2026-44435
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote, unauthenticated, no interaction over the QUIC handshake with low complexity; impact is solely an assertion-driven crash, so C/I:N and A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 937d0e9, an assertion failure is raised when the total number of valid handshake messages received over a CRYPTO stream of a single packet number space exceeds 32KB, causing a Denial of Service. This issue has been fixed by commit 937d0e9.
AnalysisAI
Remote denial of service in quicly, the IETF QUIC implementation used by the H2O HTTP server, allows unauthenticated attackers to crash the process by sending more than 32KB of valid handshake messages over the CRYPTO stream within a single packet number space, tripping a reachable assertion (CWE-617). Affects all builds prior to commit 937d0e9. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to have QUIC/HTTP-3 enabled and reachable (the quicly-based listener active on UDP), and the attacker must drive the CRYPTO stream of a single packet number space past 32KB of valid handshake messages during connection establishment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High) is internally consistent with the description: network-reachable, low complexity, no privileges or user interaction, and pure availability impact (assertion-driven crash, no data compromise). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker initiates a QUIC/HTTP-3 connection to an internet-facing H2O/quicly endpoint and deliberately delivers a stream of valid handshake messages over the CRYPTO stream whose cumulative size exceeds 32KB in one packet number space. The assertion fires and the server process aborts, dropping all in-flight connections; the unauthenticated attacker can repeat this to sustain a denial of service. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - update quicly to a build that includes commit 937d0e9e7c669fc2bee4920632ab6aaac60e4d81 (or later) and rebuild/redeploy any H2O or downstream binaries that statically embed it, as described in advisory GHSA-2cw9-5673-73gv (https://github.com/h2o/quicly/security/advisories/GHSA-2cw9-5673-73gv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all H2O HTTP server instances and identify which builds run quicly versions prior to commit 937d0e9. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a
Denial of service in Quicly, the QUIC protocol library embedded in the H2O HTTP server, allows remote attackers to corru
Quicly is an IETF QUIC protocol implementation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
Stateless reset injection in Quicly, the IETF QUIC implementation embedded in the H2O HTTP server, allows an on-path net
Memory exhaustion via crafted QUIC STREAM frames in Quicly (all versions prior to commit 8b178e6) allows an unauthentica
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today