CVE-2026-44433
Received Received - Intake

Denial of Service in Quicly via Stream Frame Offset

Vulnerability report for CVE-2026-44433, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, an adversarial peer could send a STREAM frame carrying just one byte at the largest offset being permitted to obtain additional flow control credit, which under certain circumstances could lead to a Denial of Service. Assuming the application prepares a receive buffer for storing all data that arrive out-of-order, up to the largest offset being received, this behavior could lead to the application allocating large amount of memory with the peer sending only a handful of packets, resulting in memory exhaustion. In addition to the receive buffer allocation strategy, the severity of this vulnerability depends on how the application controls the stream concurrency. In case of the H2O HTTP server, under its default setting, this bug increases the maximum amount of memory allocated per connection by about 4 times. This issue has been fixed by commit 8b178e6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
h2o http_server *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Quicly allows an adversarial peer to send a STREAM frame with just one byte at the largest permitted offset to gain extra flow control credit. This can cause memory exhaustion if the application allocates receive buffers for all out-of-order data up to the largest offset, even if only a few packets are sent.

Detection Guidance

This vulnerability can be detected by monitoring for unusual memory usage patterns or excessive flow control credit requests in QUIC protocol implementations. Check if your Quicly or H2O HTTP server version is prior to commit 8b178e6. Inspect network traffic for STREAM frames with large offsets but minimal data payloads.

Impact Analysis

An attacker could exploit this to cause a Denial of Service by forcing the application to allocate excessive memory, potentially crashing the server or degrading performance. For H2O HTTP server, this increases memory usage per connection by about 4 times under default settings.

Mitigation Strategies

Update Quicly to commit 8b178e6 or later. If using H2O HTTP server, upgrade to a patched version. Limit stream concurrency and monitor memory allocation per connection. Apply rate limiting to QUIC traffic to prevent excessive flow control credit abuse.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart