Quicly
CVE-2026-44436
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote unauthenticated crafted packet with no user interaction yields availability-only impact (assertion/crash), with no confidentiality or integrity effect since the overflow stays within allocated memory.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, Quicly is vulnerable to a Denial of Service attack through connection state corruption. In QUIC Invariants, the maximum length of a Connection ID is 255 bytes, while QUIC version 1 further restricts the maximum to 20 bytes. Quicly implements QUIC version 1 and therefore its CID buffers are limited to 20 bytes. However, to be able to respond to unknown versions of QUIC, its packet decoder accepts Connection IDs of up to 255 bytes. As its CID buffers are merely 20 bytes long, Quicly must reject QUIC version 1 packets with Connection IDs longer than that. The command line tool bundled with Quicly has had that check, however the library itself lacked such enforcement. As a consequence, when used by applications that lack their own enforcement, the connection state becoming inconsistent to buffer overrun. Fortunately, the overflow stops within the allocated chunk of memory, but nevertheless, the bug leads to assertion failures. This issue has been fixed by commit 8b178e6.
AnalysisAI
Denial of service in Quicly, the QUIC protocol library embedded in the H2O HTTP server, allows remote attackers to corrupt connection state and crash the process prior to commit 8b178e6. Quicly's packet decoder accepts Connection IDs up to 255 bytes (permitted for unknown QUIC versions) but its version-1 CID buffers are only 20 bytes, and the library - unlike its bundled CLI - never rejected over-length CIDs, letting an oversized CID overrun the buffer within its allocated chunk and trigger assertion failures. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires sending a QUIC version 1 packet whose Connection ID field exceeds the 20-byte version-1 maximum (up to the 255-byte QUIC Invariants limit the decoder accepts) to a service that links the Quicly library directly. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) reflects a purely availability impact reachable remotely without authentication or user interaction, consistent with the description of a network-triggered assertion failure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a single crafted QUIC version 1 long-header packet with a Connection ID longer than 20 bytes to a server built on a vulnerable Quicly-linked application. The oversized CID is copied into the undersized buffer, corrupting connection state and firing an assertion failure that crashes the process, denying service to legitimate clients. … |
| Remediation | Upstream fix available (commit 8b178e6); a tagged patched release version is not independently confirmed from the provided data - update Quicly to a build that includes commit 8b178e692c51a3b1031612ef89f03a53aac63c15 (https://github.com/h2o/quicly/commit/8b178e692c51a3b1031612ef89f03a53aac63c15) and consult the advisory at https://github.com/h2o/quicly/security/advisories/GHSA-v55w-59qx-2v78 for guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running H2O with QUIC enabled and configure monitoring for unexpected application crashes with alerting to security operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a
Remote denial of service in quicly, the IETF QUIC implementation used by the H2O HTTP server, allows unauthenticated att
Quicly is an IETF QUIC protocol implementation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
Stateless reset injection in Quicly, the IETF QUIC implementation embedded in the H2O HTTP server, allows an on-path net
Memory exhaustion via crafted QUIC STREAM frames in Quicly (all versions prior to commit 8b178e6) allows an unauthentica
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today