CVE-2026-44435
Received Received - Intake

Assertion Failure DoS in Quicly QUIC Protocol Implementation

Vulnerability report for CVE-2026-44435, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 937d0e9, an assertion failure is raised when the total number of valid handshake messages received over a CRYPTO stream of a single packet number space exceeds 32KB, causing a Denial of Service. This issue has been fixed by commit 937d0e9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Denial of Service issue in Quicly, an IETF QUIC protocol implementation. It occurs when the total number of valid handshake messages received over a CRYPTO stream in a single packet number space exceeds 32KB, triggering an assertion failure that crashes the system.

Impact Analysis

This vulnerability can cause a Denial of Service, meaning an attacker could send specially crafted handshake messages to crash the affected system, disrupting its normal operation and making it unavailable to legitimate users.

Mitigation Strategies

Update Quicly to commit 937d0e9 or later to fix the assertion failure issue causing Denial of Service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44435. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart