Skip to main content

quicly CVE-2026-44435

HIGH
Reachable Assertion (CWE-617)
2026-07-16 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, unauthenticated, no interaction over the QUIC handshake with low complexity; impact is solely an assertion-driven crash, so C/I:N and A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 23:20 vuln.today
CVE Published
Jul 16, 2026 - 22:39 cve.org
HIGH 7.5

DescriptionCVE.org

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 937d0e9, an assertion failure is raised when the total number of valid handshake messages received over a CRYPTO stream of a single packet number space exceeds 32KB, causing a Denial of Service. This issue has been fixed by commit 937d0e9.

AnalysisAI

Remote denial of service in quicly, the IETF QUIC implementation used by the H2O HTTP server, allows unauthenticated attackers to crash the process by sending more than 32KB of valid handshake messages over the CRYPTO stream within a single packet number space, tripping a reachable assertion (CWE-617). Affects all builds prior to commit 937d0e9. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach QUIC/HTTP-3 UDP listener
Delivery
Begin QUIC handshake
Exploit
Send >32KB valid CRYPTO handshake data
Execution
Trigger reachable assertion
Persist
Process aborts, connections dropped
Impact
Repeat to sustain DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to have QUIC/HTTP-3 enabled and reachable (the quicly-based listener active on UDP), and the attacker must drive the CRYPTO stream of a single packet number space past 32KB of valid handshake messages during connection establishment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High) is internally consistent with the description: network-reachable, low complexity, no privileges or user interaction, and pure availability impact (assertion-driven crash, no data compromise). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker initiates a QUIC/HTTP-3 connection to an internet-facing H2O/quicly endpoint and deliberately delivers a stream of valid handshake messages over the CRYPTO stream whose cumulative size exceeds 32KB in one packet number space. The assertion fires and the server process aborts, dropping all in-flight connections; the unauthenticated attacker can repeat this to sustain a denial of service. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - update quicly to a build that includes commit 937d0e9e7c669fc2bee4920632ab6aaac60e4d81 (or later) and rebuild/redeploy any H2O or downstream binaries that statically embed it, as described in advisory GHSA-2cw9-5673-73gv (https://github.com/h2o/quicly/security/advisories/GHSA-2cw9-5673-73gv). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all H2O HTTP server instances and identify which builds run quicly versions prior to commit 937d0e9. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44435 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy