CVE-2026-40898
Memory Exhaustion in quic-go via HTTP/3 Trailers
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quic-go | quic-go | to 0.59.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40898 is a vulnerability in the quic-go library, which implements the QUIC protocol in Go. An attacker can exploit this by sending a specially crafted QPACK-encoded HEADERS frame that decodes into a large trailer field section containing many unique field names or large values. The quic-go implementation enforces limits on the size of the compressed HEADERS frame but not on the size of the decoded field section, which can cause excessive memory allocation.
This excessive memory allocation can lead to memory exhaustion, potentially causing denial-of-service (DoS) attacks against both HTTP/3 clients and servers using quic-go. The vulnerability affects versions prior to 0.59.1, which introduced enforcement of RFC 9114 decoded field section size limits for trailers to prevent this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause excessive memory allocation in quic-go's HTTP/3 client or server implementations. This can lead to memory exhaustion, resulting in denial-of-service (DoS) conditions.
- Potential crashes of the affected application.
- Resource exhaustion that degrades service availability.
Because the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a moderate risk to availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the quic-go library to version 0.59.1 or later.
This update enforces RFC 9114 decoded field section size limits for HTTP/3 trailers, preventing excessive memory allocation caused by malicious QPACK-encoded HEADERS frames.
Applying this patch will protect both client and server implementations from denial-of-service attacks related to this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.