CVE-2026-40898
Analyzed Analyzed - Analysis Complete
Memory Exhaustion in quic-go via HTTP/3 Trailers

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: GitHub, Inc.

Description
quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-06-26
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-24
NVD
CVE-2026-40898
EUVD
EUVD-2026-34312
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quic-go_project quic-go to 0.59.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40898 is a vulnerability in the quic-go library, which implements the QUIC protocol in Go. An attacker can exploit this by sending a specially crafted QPACK-encoded HEADERS frame that decodes into a large trailer field section containing many unique field names or large values. The quic-go implementation enforces limits on the size of the compressed HEADERS frame but not on the size of the decoded field section, which can cause excessive memory allocation.

This excessive memory allocation can lead to memory exhaustion, potentially causing denial-of-service (DoS) attacks against both HTTP/3 clients and servers using quic-go. The vulnerability affects versions prior to 0.59.1, which introduced enforcement of RFC 9114 decoded field section size limits for trailers to prevent this issue.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause excessive memory allocation in quic-go's HTTP/3 client or server implementations. This can lead to memory exhaustion, resulting in denial-of-service (DoS) conditions.

  • Potential crashes of the affected application.
  • Resource exhaustion that degrades service availability.

Because the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a moderate risk to availability.

Mitigation Strategies

To mitigate this vulnerability, you should update the quic-go library to version 0.59.1 or later.

This update enforces RFC 9114 decoded field section size limits for HTTP/3 trailers, preventing excessive memory allocation caused by malicious QPACK-encoded HEADERS frames.

Applying this patch will protect both client and server implementations from denial-of-service attacks related to this issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an attacker sending a QPACK-encoded HEADERS frame with a large trailer field section containing many unique field names or large values, causing excessive memory allocation in quic-go HTTP/3 implementations.

To detect exploitation attempts on your network or system, you should monitor HTTP/3 traffic for unusually large or abnormal QPACK-encoded HEADERS frames, especially those containing large trailer sections.

Since the vulnerability is specific to quic-go versions prior to 0.59.1, verifying the version of quic-go in use is a critical first step.

There are no specific commands provided in the available resources to detect this vulnerability directly. However, general network monitoring tools like Wireshark can be used to capture and analyze QUIC and HTTP/3 traffic for suspicious large trailer fields.

Additionally, checking the quic-go version on your system can be done by inspecting the application or library version, for example, by running commands like `quic-go --version` if supported, or checking dependency manifests or package managers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart