CVE-2026-44436
Received Received - Intake

Denial of Service in Quicly through Connection ID Corruption

Vulnerability report for CVE-2026-44436, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, Quicly is vulnerable to a Denial of Service attack through connection state corruption. In QUIC Invariants, the maximum length of a Connection ID is 255 bytes, while QUIC version 1 further restricts the maximum to 20 bytes. Quicly implements QUIC version 1 and therefore its CID buffers are limited to 20 bytes. However, to be able to respond to unknown versions of QUIC, its packet decoder accepts Connection IDs of up to 255 bytes. As its CID buffers are merely 20 bytes long, Quicly must reject QUIC version 1 packets with Connection IDs longer than that. The command line tool bundled with Quicly has had that check, however the library itself lacked such enforcement. As a consequence, when used by applications that lack their own enforcement, the connection state becoming inconsistent to buffer overrun. Fortunately, the overflow stops within the allocated chunk of memory, but nevertheless, the bug leads to assertion failures. This issue has been fixed by commit 8b178e6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Quicly is a QUIC protocol implementation vulnerable to a Denial of Service attack via connection state corruption. The issue occurs because Quicly's library does not enforce the 20-byte limit for Connection IDs in QUIC version 1, despite its buffers being limited to 20 bytes. This allows packets with longer Connection IDs to cause buffer overruns, leading to assertion failures and inconsistent connection states.

Impact Analysis

This vulnerability can cause Denial of Service by crashing applications using Quicly due to memory corruption. Attackers can send malformed QUIC packets with oversized Connection IDs, triggering assertion failures and disrupting service availability.

Mitigation Strategies

Update Quicly to commit 8b178e6 or later to address the vulnerability. Ensure applications using Quicly implement their own Connection ID length checks if not using the latest version.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart