CVE-2026-42764
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: OpenSSL Software Foundation

Description
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-42764
EUVD
EUVD-2026-35481
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openssl quic_server to 4.0|end_excluding=3.6|end_excluding=3.5|end_excluding=3.4|end_excluding=3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, ensure that the OpenSSL QUIC server is configured with client address validation enabled.

Specifically, avoid using the SSL_LISTENER_FLAG_NO_VALIDATE flag with the SSL_new_listener() call, as this disables address validation and exposes the server to the NULL pointer dereference issue.

Since the default configuration enables client address validation, verifying that your server runs with default settings or explicitly enables address validation will prevent exploitation.

Executive Summary

This vulnerability occurs in the OpenSSL QUIC server when it receives an initial QUIC packet containing an invalid token while address validation is disabled.

Specifically, the invalid token can trigger a NULL pointer dereference, which is a type of programming error where the server tries to access memory through a pointer that is not properly initialized.

This issue arises only if the address validation feature is disabled using the SSL_LISTENER_FLAG_NO_VALIDATE flag with the SSL_new_listener() call. By default, address validation is enabled, so the default configuration is not vulnerable.

Impact Analysis

The primary impact of this vulnerability is that it can cause the OpenSSL QUIC server process to terminate abnormally due to a NULL pointer dereference.

This abnormal termination results in a Denial of Service (DoS), meaning the server becomes unavailable to legitimate users.

An attacker can exploit this by sending an initial QUIC packet with an invalid or expired token when address validation is disabled.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart