CVE-2026-10740
Awaiting Analysis Awaiting Analysis - Queue
Memory Exhaustion in s2n-quic CRYPTO Frame Reassembler

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: AMZN

Description
Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-10740
EUVD
EUVD-2026-36103
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aws s2n-quic 1.8.2
aws s2n-quic From 1.8.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-10740 is a vulnerability in the s2n-quic library, a Rust implementation of the QUIC protocol. The issue arises from unbounded memory allocation in the CRYPTO frame reassembler component in versions before 1.8.2. An unauthenticated remote attacker can exploit this by sending specially crafted CRYPTO frames with high offsets, causing the server to allocate excessive memory without any maximum size limit on the buffer used for processing these frames.

This can lead to memory exhaustion because a single crafted 1200-byte packet could cause approximately 9.4 MB of memory allocation. Repeated exploitation can result in a denial-of-service condition by overwhelming the server's memory resources. Importantly, the attack does not require a valid handshake to be established.

The vulnerability has been fixed in s2n-quic version 1.8.2, and upgrading to this version or later is the recommended remediation.

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated remote attacker to cause a denial of service (DoS) on your system running vulnerable versions of s2n-quic. By sending crafted QUIC Initial packets, the attacker can trigger excessive memory allocation, potentially exhausting server memory resources.

The result is degraded availability of the affected service, as the server may become unresponsive or crash due to memory exhaustion. Since no authentication or valid handshake is required, the attack can be executed easily over the network.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the s2n-quic library to version 1.82.0 or later.

There are no effective workarounds for this issue, so applying the patch by upgrading is the recommended remediation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart