CVE-2026-34183

Analyzed Analyzed - Analysis Complete

Heap Memory Exhaustion in QUIC Stack via PATH_CHALLENGE Flood

Publication date: 2026-06-09

Last updated on: 2026-06-15

Assigner: OpenSSL Software Foundation

Description

Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-15

Generated

2026-06-30

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-34183

EUVD

EUVD-2026-35479

Affected Vendors & Products

Vendor	Product	Version / Range
openssl	openssl	From 3.4.0 (inc) to 3.4.6 (exc)
openssl	openssl	From 3.5.0 (inc) to 3.5.7 (exc)
openssl	openssl	From 3.6.0 (inc) to 3.6.3 (exc)
openssl	openssl	4.0.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-1325	The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

Attack-Flow Graph

Executive Summary

This vulnerability involves a remote peer sending a large number of packets containing PATH_CHALLENGE frames to a QUIC server or client.

Each PATH_CHALLENGE frame causes the local QUIC stack to allocate memory for a corresponding PATH_RESPONSE frame.

A malicious peer does not acknowledge the PATH_RESPONSE frames, so the allocated memory is not freed, leading to unbounded memory allocation.

This can exhaust the heap memory of the QUIC server or client, potentially causing the application to terminate abnormally.

Impact Analysis

The vulnerability can lead to a Denial of Service (DoS) condition by exhausting the heap memory of the application acting as a QUIC client or server.

This abnormal termination can disrupt services relying on the affected QUIC implementation, causing downtime or loss of availability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the CVE-2026-34183 vulnerability in the OpenSSL QUIC stack, immediate steps include applying the patch that limits the number of PATH_CHALLENGE frames processed per packet to one, as recommended by RFC 9000.

Implement a limit on PATH_CHALLENGE frames processed per packet using a flag (seen_path_challenge) to ensure only the first frame is processed.
Enforce a queue limit (QUIC_PATH_RESPONSE_QLEN set to 32) to cap the number of PATH_RESPONSE frames waiting to be dispatched.
Discard unreliable frames such as PATH_RESPONSE immediately after transmission to reduce memory overhead.
Reset state flags and counters properly between packets to prevent flooding and excessive memory allocation.

Hi! I’m here to help you understand CVE-2026-34183. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70