CVE-2026-34183

Vulnerability

A remote peer may exhaust heap memory of a QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame is only freed when the remote peer acknowledges reception, which a malicious peer will not do. The FIPS modules in OpenSSL versions 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected as the QUIC stack is outside the FIPS module boundary [1].

Exploitation

An attacker needs network access to the target QUIC server or client. The attacker must send a continuous stream of packets containing PATH_CHALLENGE frames to the target. The target will respond by allocating memory for PATH_RESPONSE frames, which will not be acknowledged by the attacker, leading to memory exhaustion.

Impact

A successful attack can cause an unbounded memory allocation, leading to an abnormal termination of the application acting as a QUIC client or server, resulting in a Denial of Service (DoS).

Mitigation

Not yet disclosed in the available references.