Quiche
Monthly
Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC servers by sending specially crafted HTTP/3 frames that trigger over-allocation. Two distinct defects are involved: frame parsers pre-allocate buffers based on an attacker-declared length field without requiring the bytes to actually be sent, and QPACK decompression fails to enforce the configured MAX_FIELD_SECTION_SIZE limit, so crafted HEADERS frames commit far more memory than advertised. No public exploit identified at time of analysis; impact is availability-only (CVSS 7.5) with no confidentiality or integrity effect.
Denial of service in Cloudflare quiche (all versions before 0.29.3) allows a remote unauthenticated peer to exhaust server memory by triggering rapid post-handshake source address migration, causing unbounded queuing of PathEvent::ReusedSourceConnectionId entries in the internal PathEvents collection. Because the queue grows without limit whenever an application does not drain it via path_event_next(), an attacker can force high memory consumption and crash or degrade the server; notably, servers remain vulnerable even when active connection migration is disabled. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.
Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an unauthenticated remote attacker can manipulate ACK frames to artificially inflate the congestion window beyond safe limits, causing excessive data transmission rates and potential denial of service through integer overflow panics. The vulnerability affects quiche versions prior to 0.24.4. While the CVSS score is 7.5 (high severity with network attack vector and no privileges required), real-world exploitation requires completing a QUIC handshake and active manipulation, limiting opportunistic exploitation.
Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support. An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. Patches quiche 0.24.4 is the earliest version containing the fix for this issue.
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
quiche v. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Remote memory exhaustion in Cloudflare quiche's HTTP/3 layer allows unauthenticated attackers to crash or degrade QUIC servers by sending specially crafted HTTP/3 frames that trigger over-allocation. Two distinct defects are involved: frame parsers pre-allocate buffers based on an attacker-declared length field without requiring the bytes to actually be sent, and QPACK decompression fails to enforce the configured MAX_FIELD_SECTION_SIZE limit, so crafted HEADERS frames commit far more memory than advertised. No public exploit identified at time of analysis; impact is availability-only (CVSS 7.5) with no confidentiality or integrity effect.
Denial of service in Cloudflare quiche (all versions before 0.29.3) allows a remote unauthenticated peer to exhaust server memory by triggering rapid post-handshake source address migration, causing unbounded queuing of PathEvent::ReusedSourceConnectionId entries in the internal PathEvents collection. Because the queue grows without limit whenever an application does not drain it via path_event_next(), an attacker can force high memory consumption and crash or degrade the server; notably, servers remain vulnerable even when active connection migration is disabled. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.
Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an unauthenticated remote attacker can manipulate ACK frames to artificially inflate the congestion window beyond safe limits, causing excessive data transmission rates and potential denial of service through integer overflow panics. The vulnerability affects quiche versions prior to 0.24.4. While the CVSS score is 7.5 (high severity with network attack vector and no privileges required), real-world exploitation requires completing a QUIC handshake and active manipulation, limiting opportunistic exploitation.
Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support. An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. Patches quiche 0.24.4 is the earliest version containing the fix for this issue.
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
quiche v. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.