CVE-2026-12707
Awaiting Analysis Awaiting Analysis - Queue

Memory Exhaustion in Cloudflare quiche from Unbounded PathEvent Queuing

Vulnerability report for CVE-2026-12707, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Cloudflare, Inc.

Description

Summary Cloudflare quiche was discovered to be vulnerable to memory resource exhaustion due to unbounded queuing of post-handshake client migration events. Impact quiche supports the connection migration features described in Section 9 of RFC 9000, which allows a single QUIC connection to survive changes in the network path. Although quiche implements the protections described in Section 9.3 of RFC 9000 to limit server state commitment, it was discovered that the collection of PathEvents, intended to be consumed by applications via the path_event_next() function, was not bounded. Once the QUIC handshake completed, a peer could exploit rapid source address migration in order to cause unbounded queuing of the PathEvent::ReusedSourceConnectionId type. Servers are vulnerable even if active connection migration is disabled. Mitigation: * Applications can call path_event_next() to drain the PathEvent collection, mitigating the attack. * Users are requested to upgrade to quiche 0.29.3 which is the earliest version that prevents excessive queueing of PathEvent::ReusedSourceConnectionId.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
cloudflare quiche From 0.15.0 (inc)
cloudflare quiche to 0.29.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-12707 is a vulnerability in Cloudflare's quiche library, which is used for QUIC protocol implementation. The issue involves memory resource exhaustion caused by unbounded queuing of post-handshake client migration events.

QUIC supports connection migration, allowing a single connection to survive network path changes. While quiche implements protections to limit server state commitment, it was found that the collection of PathEvents (used by applications via the path_event_next() function) was not bounded. This means an attacker could exploit rapid source address migration to cause an unbounded accumulation of PathEvent::ReusedSourceConnectionId events, leading to memory exhaustion.

This vulnerability affects servers even if active connection migration is disabled. The issue was patched in quiche version 0.29.3.

Impact Analysis

This vulnerability can impact you in the following ways:

  • Memory resource exhaustion: An attacker can cause your server to consume excessive memory by exploiting rapid source address migration, leading to performance degradation or crashes.
  • Denial of Service (DoS): The high impact on availability (as indicated by the CVSS score) means your service could become unresponsive or unavailable to legitimate users.
  • No user interaction or privileges required: The attack can be carried out remotely without any special privileges or user interaction, making it easier for attackers to exploit.

The vulnerability affects servers using quiche versions 0.15.0 and above, regardless of whether active connection migration is enabled or disabled.

Compliance Impact

This vulnerability may affect compliance with common standards and regulations in the following ways:

  • GDPR: If the vulnerability leads to a denial of service (DoS) or service disruption, it could impact the availability of personal data, potentially violating GDPR's requirements for data availability and integrity (Article 32). Additionally, if the attack results in unauthorized access or data breaches, it could lead to non-compliance with GDPR's data protection principles.
  • HIPAA: For organizations handling protected health information (PHI), a DoS attack exploiting this vulnerability could disrupt access to critical systems, violating HIPAA's requirements for ensuring the availability of electronic PHI (ePHI). This could be considered a security incident under the HIPAA Security Rule (45 CFR Part 164, Subpart C).
  • Other standards: Many compliance frameworks (e.g., ISO 27001, NIST SP 800-53) require organizations to protect against resource exhaustion attacks and ensure system availability. Failure to mitigate this vulnerability could result in non-compliance with such standards.

To maintain compliance, organizations should apply the recommended patch (quiche 0.29.3) or implement the suggested mitigation (draining PathEvents via path_event_next()).

Detection Guidance

Detecting this vulnerability on your network or system involves checking for signs of memory resource exhaustion caused by unbounded queuing of PathEvent::ReusedSourceConnectionId events in Cloudflare quiche. Since the issue is related to QUIC connection migration events, you can monitor for unusual memory usage or event queue growth in applications using quiche.

To detect potential exploitation, you can:

  • Monitor memory usage of applications using quiche, particularly those handling QUIC connections. Sudden spikes in memory consumption may indicate exploitation.
  • Check for the presence of excessive PathEvent::ReusedSourceConnectionId events in the event queue. Applications can use the path_event_next() function to inspect the queue, but this requires custom instrumentation.
  • Verify the version of quiche in use. If your system is running quiche version 0.15.0 or above but below 0.29.3, it is vulnerable. You can check the version by inspecting the library or package metadata, for example:
  • For Rust projects, check Cargo.lock or run cargo tree | grep quiche to identify the version.
  • For systems using package managers, run commands like dpkg -l | grep quiche (Debian/Ubuntu) or rpm -qa | grep quiche (RHEL/CentOS) to list installed versions.

There are no specific network-level commands to detect this vulnerability, as it is a library-level issue. Detection relies on monitoring application behavior and verifying library versions.

Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Upgrade to quiche version 0.29.3 or later. This is the earliest version that prevents excessive queueing of PathEvent::ReusedSourceConnectionId events. Refer to the official quiche repository or your package manager for upgrade instructions.
  • If upgrading is not immediately possible, applications can mitigate the issue by calling path_event_next() frequently to drain the PathEvent collection. This prevents unbounded growth of the event queue.
  • Monitor applications using quiche for signs of memory exhaustion or unusual behavior, particularly those handling QUIC connections. Restart affected services if necessary to free up memory.
  • Review and apply any additional guidance provided by Cloudflare or the maintainers of the quiche library, as they may release further updates or recommendations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12707. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart