CVE-2026-42764
Analyzed Analyzed - Analysis Complete

NULL Pointer Dereference in OpenSSL QUIC Server

Publication date: 2026-06-09

Last updated on: 2026-06-15

Assigner: OpenSSL Software Foundation

Description
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-15
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-42764
EUVD
EUVD-2026-35481

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
openssl openssl From 3.5.0 (inc) to 3.5.7 (exc)
openssl openssl From 3.6.0 (inc) to 3.6.3 (exc)
openssl openssl 4.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, ensure that the OpenSSL QUIC server is configured with client address validation enabled.

Specifically, avoid using the SSL_LISTENER_FLAG_NO_VALIDATE flag with the SSL_new_listener() call, as this disables address validation and exposes the server to the NULL pointer dereference issue.

Since the default configuration enables client address validation, verifying that your server runs with default settings or explicitly enables address validation will prevent exploitation.

Executive Summary

This vulnerability occurs in the OpenSSL QUIC server when it receives an initial QUIC packet containing an invalid token while address validation is disabled.

Specifically, the invalid token can trigger a NULL pointer dereference, which is a type of programming error where the server tries to access memory through a pointer that is not properly initialized.

This issue arises only if the address validation feature is disabled using the SSL_LISTENER_FLAG_NO_VALIDATE flag with the SSL_new_listener() call. By default, address validation is enabled, so the default configuration is not vulnerable.

Impact Analysis

The primary impact of this vulnerability is that it can cause the OpenSSL QUIC server process to terminate abnormally due to a NULL pointer dereference.

This abnormal termination results in a Denial of Service (DoS), meaning the server becomes unavailable to legitimate users.

An attacker can exploit this by sending an initial QUIC packet with an invalid or expired token when address validation is disabled.

Detection Guidance

This vulnerability occurs when an OpenSSL QUIC server has address validation disabled and receives an initial QUIC packet with an invalid token, causing a NULL pointer dereference and server crash.

To detect this vulnerability on your system, you should first verify if your OpenSSL QUIC server is running with address validation disabled (i.e., using the SSL_LISTENER_FLAG_NO_VALIDATE flag).

Since the vulnerability is triggered by receiving a QUIC initial packet with an invalid token, monitoring server logs for crashes or abnormal termination related to QUIC connections can help detect exploitation attempts.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart