High severityNVD Advisory· Published Mar 10, 2026· Updated Apr 16, 2026

CVE-2026-31812

Description

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
quinn-protocrates.io	< 0.11.14	0.11.14

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-6xvm-j4wr-6v98ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-31812ghsaADVISORY
github.com/quinn-rs/quinn/pull/2559ghsaWEB
github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98nvdWEB
rustsec.org/advisories/RUSTSEC-2026-0037.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000