Skip to main content

Quiche

9 CVEs product

Monthly

CVE-2026-12523 HIGH PATCH This Week

Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC servers by sending specially crafted HTTP/3 frames that trigger over-allocation. Two distinct defects are involved: frame parsers pre-allocate buffers based on an attacker-declared length field without requiring the bytes to actually be sent, and QPACK decompression fails to enforce the configured MAX_FIELD_SECTION_SIZE limit, so crafted HEADERS frames commit far more memory than advertised. No public exploit identified at time of analysis; impact is availability-only (CVSS 7.5) with no confidentiality or integrity effect.

Denial Of Service Quiche
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12707 HIGH PATCH This Week

Denial of service in Cloudflare quiche (all versions before 0.29.3) allows a remote unauthenticated peer to exhaust server memory by triggering rapid post-handshake source address migration, causing unbounded queuing of PathEvent::ReusedSourceConnectionId entries in the internal PathEvents collection. Because the queue grows without limit whenever an application does not drain it via path_event_next(), an attacker can force high memory consumption and crash or degrade the server; notably, servers remain vulnerable even when active connection migration is disabled. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Quiche
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-11941 Cargo MEDIUM POC PATCH GHSA This Month

Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.

Use After Free Memory Corruption Information Disclosure Denial Of Service Quiche
NVD GitHub VulDB
CVSS 3.1
5.6
EPSS
0.2%
CVE-2025-7054 Cargo HIGH PATCH This Month

Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche Cloudflare
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-4821 HIGH PATCH This Week

Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an unauthenticated remote attacker can manipulate ACK frames to artificially inflate the congestion window beyond safe limits, causing excessive data transmission rates and potential denial of service through integer overflow panics. The vulnerability affects quiche versions prior to 0.24.4. While the CVSS score is 7.5 (high severity with network attack vector and no privileges required), real-world exploitation requires completing a QUIC handshake and active manipulation, limiting opportunistic exploitation.

Buffer Overflow Quiche Cloudflare
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-4820 MEDIUM PATCH This Month

Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support. An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. Patches quiche 0.24.4 is the earliest version containing the fix for this issue.

Denial Of Service Debian Quiche Cloudflare
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-1765 Cargo HIGH PATCH This Week

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2024-1410 Cargo MEDIUM PATCH This Month

Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2023-6193 Cargo MEDIUM PATCH This Month

quiche v. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC servers by sending specially crafted HTTP/3 frames that trigger over-allocation. Two distinct defects are involved: frame parsers pre-allocate buffers based on an attacker-declared length field without requiring the bytes to actually be sent, and QPACK decompression fails to enforce the configured MAX_FIELD_SECTION_SIZE limit, so crafted HEADERS frames commit far more memory than advertised. No public exploit identified at time of analysis; impact is availability-only (CVSS 7.5) with no confidentiality or integrity effect.

Denial Of Service Quiche
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Cloudflare quiche (all versions before 0.29.3) allows a remote unauthenticated peer to exhaust server memory by triggering rapid post-handshake source address migration, causing unbounded queuing of PathEvent::ReusedSourceConnectionId entries in the internal PathEvents collection. Because the queue grows without limit whenever an application does not drain it via path_event_next(), an attacker can force high memory consumption and crash or degrade the server; notably, servers remain vulnerable even when active connection migration is disabled. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Quiche
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM POC PATCH This Month

Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.

Use After Free Memory Corruption Information Disclosure +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche Cloudflare
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an unauthenticated remote attacker can manipulate ACK frames to artificially inflate the congestion window beyond safe limits, causing excessive data transmission rates and potential denial of service through integer overflow panics. The vulnerability affects quiche versions prior to 0.24.4. While the CVSS score is 7.5 (high severity with network attack vector and no privileges required), real-world exploitation requires completing a QUIC handshake and active manipulation, limiting opportunistic exploitation.

Buffer Overflow Quiche Cloudflare
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support. An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. Patches quiche 0.24.4 is the earliest version containing the fix for this issue.

Denial Of Service Debian Quiche +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

quiche v. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy