CVE-2026-42764

Vulnerability

A NULL pointer dereference can occur in the OpenSSL QUIC server when receiving an initial QUIC packet with an invalid token, provided that address validation is disabled. This vulnerability is reachable when the SSL_LISTENER_FLAG_NO_VALIDATE flag is used with the SSL_new_listener() call. The FIPS modules in versions 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected as the vulnerable code is outside the FIPS module boundary. The default configuration of the OpenSSL QUIC server has address validation enabled and is therefore not vulnerable.

Exploitation

An attacker can trigger this vulnerability by sending a crafted initial QUIC packet with an invalid or expired token to a vulnerable OpenSSL QUIC server. The attacker does not require any specific network position or authentication, but the server must be configured with address validation disabled using SSL_LISTENER_FLAG_NO_VALIDATE.

Impact

Successful exploitation of this vulnerability results in a NULL pointer dereference, which typically causes the affected QUIC server process to terminate abnormally. This leads to a Denial of Service (DoS) for legitimate users attempting to connect to the server.

Mitigation

OpenSSL versions 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2 are affected. Users should upgrade to a fixed version. Specific upgrade paths are not provided for this particular vulnerability in the available references, but the advisory [1] details fixes for other vulnerabilities in these versions. The FIPS modules are not affected. No workarounds are mentioned in the available references.