CVE-2026-34183
Awaiting Analysis
Awaiting Analysis - Queue
BaseFortify
Publication date: 2026-06-09
Last updated on: 2026-06-09
Assigner: OpenSSL Software Foundation
Description
Description
Issue summary: Remote peer may exhaust heap memory of the QUIC
server or client by flooding it with packets containing PATH_CHALLENGE
frames.
Impact summary: A malicious remote peer can cause an unbounded
memory allocation which can lead to an abnormal termination of the
application acting as a QUIC client or server and a Denial of Service.
A remote peer may exhaust heap memory by flooding the local
QUIC stack with PATH_CHALLENGE frames. The local QUIC stack
allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.
The allocated PATH_RESPONSE frame gets freed only when the remote
peer acknowledges reception of the PATH_RESPONSE frame which will
not be done by a malicious peer.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by
this issue. The QUIC stack is outside of OpenSSL FIPS module
boundary.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openssl | openssl | From 4.0|start_excluding=3.6|start_excluding=3.5|start_excluding=3.4|start_excluding=3.0 (exc) |
| openssl | openssl | 3.0 |
| openssl | openssl | 3.4 |
| openssl | openssl | 3.5 |
| openssl | openssl | 3.6 |
| openssl | openssl | 4.0 |
| openssl | openssl | to 4.0 (exc) |
| openssl | openssl | to 3.6 (exc) |
| openssl | openssl | to 3.5 (exc) |
| openssl | openssl | to 3.4 (exc) |
| openssl | openssl | to 3.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-1325 | The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. |