CVE-2026-44434
Received Received - Intake

Stateless Reset Injection in Quicly

Vulnerability report for CVE-2026-44434, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit dccf5d4, Quicly was vulnerable to stateless reset injection through lack of packet entry validation. The QUIC protocol is designed to withstand packet injection attacks, once the handshake is complete. Only packets that carry some secret patterns are considered as stateless resets. Quicly allows the peer to share up to 4 such patterns per connection. However, until now, it failed to determine which of the 4 slots that it uses to retain the secret patterns contains a valid entry. As the slots are zero-initialized, the failure meant that, unless the peer advertised 4 of such patterns, an all-zero pattern was treated as a stateless reset.In effect, this allowed an on-path attacker to reset QUIC connections governed by Quicly. This issue has been fixed by commit dccf5d4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cloudflare quicly to dccf5d4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Quicly is a QUIC protocol implementation vulnerable to stateless reset injection due to improper validation of packet entries. The flaw allowed an all-zero pattern to be treated as a valid stateless reset if fewer than 4 secret patterns were advertised by the peer. This could let an on-path attacker reset QUIC connections using Quicly.

Detection Guidance

This vulnerability involves stateless reset injection in Quicly due to improper validation of packet entry patterns. Detection requires monitoring QUIC traffic for unexpected connection resets or invalid stateless reset patterns. Use packet capture tools like tcpdump or Wireshark to analyze QUIC packets for reset frames with zero patterns. Check Quicly logs for connection terminations without proper handshake completion.

Impact Analysis

An attacker could disrupt QUIC connections managed by Quicly, leading to service interruptions or degraded performance. Since QUIC is often used for modern web traffic, this could affect user experience for services relying on Quicly.

Mitigation Strategies

Update Quicly to the latest version containing commit dccf5d4 or later. If immediate update is not possible, disable QUIC support temporarily or restrict QUIC traffic to trusted networks. Monitor network traffic for signs of exploitation, such as unexpected connection resets.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart