Skip to main content

Quicly CVE-2026-44436

HIGH
Classic Buffer Overflow (CWE-120)
2026-07-16 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated crafted packet with no user interaction yields availability-only impact (assertion/crash), with no confidentiality or integrity effect since the overflow stays within allocated memory.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 23:20 vuln.today
CVE Published
Jul 16, 2026 - 22:44 cve.org
HIGH 7.5

DescriptionCVE.org

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, Quicly is vulnerable to a Denial of Service attack through connection state corruption. In QUIC Invariants, the maximum length of a Connection ID is 255 bytes, while QUIC version 1 further restricts the maximum to 20 bytes. Quicly implements QUIC version 1 and therefore its CID buffers are limited to 20 bytes. However, to be able to respond to unknown versions of QUIC, its packet decoder accepts Connection IDs of up to 255 bytes. As its CID buffers are merely 20 bytes long, Quicly must reject QUIC version 1 packets with Connection IDs longer than that. The command line tool bundled with Quicly has had that check, however the library itself lacked such enforcement. As a consequence, when used by applications that lack their own enforcement, the connection state becoming inconsistent to buffer overrun. Fortunately, the overflow stops within the allocated chunk of memory, but nevertheless, the bug leads to assertion failures. This issue has been fixed by commit 8b178e6.

AnalysisAI

Denial of service in Quicly, the QUIC protocol library embedded in the H2O HTTP server, allows remote attackers to corrupt connection state and crash the process prior to commit 8b178e6. Quicly's packet decoder accepts Connection IDs up to 255 bytes (permitted for unknown QUIC versions) but its version-1 CID buffers are only 20 bytes, and the library - unlike its bundled CLI - never rejected over-length CIDs, letting an oversized CID overrun the buffer within its allocated chunk and trigger assertion failures. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach QUIC listener over network
Delivery
Craft version-1 packet with >20-byte CID
Exploit
Decoder accepts oversized Connection ID
Execution
Copy overruns 20-byte CID buffer
Persist
Corrupt connection state, trigger assertion
Impact
Process crash / denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires sending a QUIC version 1 packet whose Connection ID field exceeds the 20-byte version-1 maximum (up to the 255-byte QUIC Invariants limit the decoder accepts) to a service that links the Quicly library directly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) reflects a purely availability impact reachable remotely without authentication or user interaction, consistent with the description of a network-triggered assertion failure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a single crafted QUIC version 1 long-header packet with a Connection ID longer than 20 bytes to a server built on a vulnerable Quicly-linked application. The oversized CID is copied into the undersized buffer, corrupting connection state and firing an assertion failure that crashes the process, denying service to legitimate clients. …
Remediation Upstream fix available (commit 8b178e6); a tagged patched release version is not independently confirmed from the provided data - update Quicly to a build that includes commit 8b178e692c51a3b1031612ef89f03a53aac63c15 (https://github.com/h2o/quicly/commit/8b178e692c51a3b1031612ef89f03a53aac63c15) and consult the advisory at https://github.com/h2o/quicly/security/advisories/GHSA-v55w-59qx-2v78 for guidance. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running H2O with QUIC enabled and configure monitoring for unexpected application crashes with alerting to security operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy