CVE-2026-12523 in quicheinfo

Summary

by MITRE • 07/14/2026

Summary



Cloudflare quiche's HTTP/3 layer was discovered to be vulnerable to resource exhaustion (i.e., memory) by means of specially crafted HTTP/3 frames.




Impact



HTTP/3 defines multiple frame types to support HTTP message exchanges and connection management. Each frame has a length and a payload whose length depends on the frame type. quiche was found to be vulnerable when parsing some frame types to pre-allocating memory based on the declared length. An attacker would not need to send the number of declared bytes to trigger this issue.



In addition, quiche was found to not apply QPACK decompression limits correctly. This could allow an attacker to send specially crafted HEADERS frames that would cause more memory commitment than otherwise advertised by MAX_FIELD_SECTION_SIZE (configured by set_max_field_section_size()).






Mitigation:

*

Users are requested to upgrade to quiche 0.29.3 which is the earliest version containing the fix for this issue.









Credits: Disclosed responsibly by Sébastien Féry

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in Cloudflare's quiche HTTP/3 implementation represents a critical resource exhaustion flaw that could enable denial-of-service conditions through carefully crafted HTTP/3 frames. This issue affects the memory allocation mechanisms within the quiche library, which serves as a foundational component for HTTP/3 protocol handling in various web applications and services. The vulnerability manifests when the library processes specific frame types that trigger pre-allocation of memory based on declared frame lengths without proper validation of actual payload data. According to CWE-400, this constitutes a classic resource exhaustion vulnerability where attacker-controlled input directly influences memory allocation decisions, creating potential for system instability or complete service disruption.

The technical flaw occurs at the protocol parsing layer where quiche's HTTP/3 implementation fails to properly validate frame length specifications before committing memory resources. When processing certain frame types, the library pre-allocates memory buffers based on values specified in the frame headers without ensuring that sufficient data is actually available to fill those buffers. This allows attackers to send malformed frames with inflated size declarations, causing the system to allocate excessive memory while only providing minimal actual payload data. The vulnerability operates outside normal protocol validation boundaries since attackers do not need to transmit the full declared amount of data to trigger the memory allocation behavior, making detection and prevention more challenging.

The operational impact extends beyond simple memory consumption to include potential application instability and service unavailability across systems relying on quiche for HTTP/3 functionality. This vulnerability affects any system that utilizes quiche as its underlying HTTP/3 implementation, including web servers, reverse proxies, and client applications. The combination of improper memory pre-allocation and inadequate QPACK decompression limits creates a dual threat where attackers can simultaneously exhaust memory resources through frame handling and potentially bypass configured field section size limits. This behavior aligns with ATT&CK technique T1499.004 which describes resource exhaustion attacks targeting application memory management.

Additional concerns arise from the QPACK decompression limit implementation flaw that allows attackers to craft HEADERS frames capable of triggering more memory commitment than specified by MAX_FIELD_SECTION_SIZE configuration parameters. This represents a particularly dangerous aspect of the vulnerability since it operates at the compression layer where memory consumption can be exponential relative to payload size, potentially enabling attackers to cause dramatic resource consumption with relatively small frame payloads. The vulnerability affects systems that implement HTTP/3 with QPACK header compression, which is standard practice in modern web protocols.

The recommended mitigation strategy involves upgrading to quiche version 0.29.3, which contains the necessary fixes for both the memory pre-allocation issue and the QPACK decompression limit handling. This upgrade addresses the root cause by implementing proper bounds checking on frame lengths before memory allocation occurs and by correctly enforcing configured field section size limits during QPACK decompression operations. The fix demonstrates proper adherence to security best practices by ensuring that all resource allocations are validated against actual data availability rather than relying solely on header-specified values, thereby preventing the conditions that enabled the resource exhaustion attack vector.

Security researchers who discovered this vulnerability have responsibly disclosed their findings through appropriate channels, following established protocols for vulnerability reporting and disclosure. The coordinated disclosure approach ensures that affected parties can implement necessary patches before public exposure while maintaining the security community's trust in responsible vulnerability management practices. This vulnerability highlights the critical importance of proper resource validation in protocol implementations, particularly when dealing with variable-length data structures where attacker-controlled inputs directly influence system resource allocation decisions. Organizations should prioritize immediate deployment of the patched quiche version to protect their HTTP/3 implementations from potential exploitation attempts targeting these memory exhaustion vulnerabilities.

Responsible

Cloudflare

Reservation

06/17/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!