CVE-2026-11941
Received Received - Intake
Use-After-Free in Cloudflare Quiche FFI Functions

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Cloudflare, Inc.

Description
Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions. The “quiche_connection_id_iter_next” and “quiche_conn_retired_scid_next” functions would return a pointer to a “ConnectionId” to the applications via function arguments, but the owned “ConnectionId” would be dropped at the end of those functions' scope. Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag. Impact If unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling. Mitigation Users are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-11941
EUVD
EUVD-2026-38003
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cloudflare quiche 0.29.2
cloudflare quiche From 0.20.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves two use-after-free issues in Cloudflare Quiche's connection ID iterator FFI functions, specifically quiche_connection_id_iter_next and quiche_conn_retired_scid_next.

These functions return pointers to ConnectionId objects to applications, but the actual ConnectionId objects are freed at the end of the functions' scope. This means the pointers reference memory that has already been released.

If an application later accesses these pointers, it may cause undefined behavior such as memory corruption or crashes.

Only applications using these specific FFI functions are affected, and the FFI API is disabled by default.

Impact Analysis

If unpatched, an application calling the affected FFI functions may dereference freed memory, leading to undefined behavior.

  • The most common impact is a process crash, resulting in denial of service.
  • Depending on the state of the memory allocator, the read might return adjacent heap contents, potentially causing limited information disclosure.
  • Incorrect handling of connection identifiers may also occur, affecting application integrity.
Detection Guidance

This vulnerability affects only applications using the specific FFI functions quiche_connection_id_iter_next and quiche_conn_retired_scid_next in Cloudflare Quiche. Detection involves identifying whether your application uses these FFI functions.

Since the vulnerability leads to use-after-free issues causing process crashes or undefined behavior, monitoring application logs for crashes or memory errors related to these functions can help detect exploitation attempts.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

The primary mitigation step is to upgrade Cloudflare Quiche to version 0.29.2 or later, which contains the fix for these use-after-free vulnerabilities.

Additionally, since the FFI API is disabled by default via a build-time feature flag, ensure that your build configuration does not enable the FFI API unless necessary.

Compliance Impact

The vulnerability in Cloudflare Quiche involves use-after-free issues that can lead to limited information disclosure due to reading adjacent heap contents. This could potentially expose sensitive data handled by applications using the affected FFI functions.

Such information disclosure risks may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leaks.

However, the vulnerability requires use of specific FFI functions that are disabled by default, and exploitation complexity is high, which may limit the practical risk.

To maintain compliance, affected users should upgrade to the fixed version (0.29.2) to mitigate risks of data exposure and denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart