Quic Go
Products
2- 9 CVEs
- 3 CVEs
Recent CVEs
12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-59530 | Hig | 0.42 | 7.5 | 0.00 | Oct 10, 2025 | quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This… | ||
| CVE-2025-29785 | Hig | 0.42 | 7.5 | 0.00 | Jun 2, 2025 | quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC… | ||
| CVE-2024-22189 | Hig | 0.42 | 7.5 | 0.01 | Apr 4, 2024 | quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame… | ||
| CVE-2024-53259 | Med | 0.35 | 6.5 | 0.01 | Dec 2, 2024 | quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send… | ||
| CVE-2026-40898 | Med | 0.27 | 5.3 | 0.00 | Jun 4, 2026 | quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with… | ||
| CVE-2022-30591 | 0.01 | — | 0.02 | Jul 6, 2022 | quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the… | |||
| CVE-2026-21438 | 0.00 | — | 0.00 | Feb 12, 2026 | webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage… | |||
| CVE-2026-21435 | 0.00 | — | 0.00 | Feb 12, 2026 | webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the… | |||
| CVE-2026-21434 | 0.00 | — | 0.00 | Feb 12, 2026 | webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message.… | |||
| CVE-2025-64702 | 0.00 | — | 0.00 | Dec 11, 2025 | quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section… | |||
| CVE-2023-49295 | 0.00 | — | 0.01 | Jan 10, 2024 | quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE… | |||
| CVE-2023-46239 | 0.00 | — | 0.01 | Oct 31, 2023 | quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic)… |
- risk 0.42cvss 7.5epss 0.00
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This…
- risk 0.42cvss 7.5epss 0.00
quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC…
- risk 0.42cvss 7.5epss 0.01
quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame…
- risk 0.35cvss 6.5epss 0.01
quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send…
- risk 0.27cvss 5.3epss 0.00
quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with…
- CVE-2022-30591Jul 6, 2022risk 0.01cvss —epss 0.02
quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the…
- CVE-2026-21438Feb 12, 2026risk 0.00cvss —epss 0.00
webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage…
- CVE-2026-21435Feb 12, 2026risk 0.00cvss —epss 0.00
webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the…
- CVE-2026-21434Feb 12, 2026risk 0.00cvss —epss 0.00
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message.…
- CVE-2025-64702Dec 11, 2025risk 0.00cvss —epss 0.00
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section…
- CVE-2023-49295Jan 10, 2024risk 0.00cvss —epss 0.01
quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE…
- CVE-2023-46239Oct 31, 2023risk 0.00cvss —epss 0.01
quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic)…