CVE-2026-31812
Denial of Service in Quinn QUIC via Malformed Transport Parameters
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quinn | quinn | to 0.11.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Quinn, a Rust implementation of the IETF QUIC transport protocol. Before version 0.11.14, a remote attacker who is not authenticated can cause a denial of service by sending a specially crafted QUIC Initial packet with malformed transport parameters. The issue arises because the parsing logic uses unwrap() on attacker-controlled varints, which leads to a panic when truncated encodings are encountered. This panic causes the application to crash or become unavailable.
How can this vulnerability impact me? :
The vulnerability can lead to a denial of service (DoS) condition in applications using affected versions of Quinn. An attacker can remotely crash the application by sending a single malformed packet without needing any prior authentication or trust. This can result in service interruptions and unavailability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the quinn library to version 0.11.14 or later, where the issue has been fixed.