CVE-2026-44436 in quiclyinfo

Summary

by MITRE • 07/17/2026

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, Quicly is vulnerable to a Denial of Service attack through connection state corruption. In QUIC Invariants, the maximum length of a Connection ID is 255 bytes, while QUIC version 1 further restricts the maximum to 20 bytes. Quicly implements QUIC version 1 and therefore its CID buffers are limited to 20 bytes. However, to be able to respond to unknown versions of QUIC, its packet decoder accepts Connection IDs of up to 255 bytes. As its CID buffers are merely 20 bytes long, Quicly must reject QUIC version 1 packets with Connection IDs longer than that. The command line tool bundled with Quicly has had that check, however the library itself lacked such enforcement. As a consequence, when used by applications that lack their own enforcement, the connection state becoming inconsistent to buffer overrun. Fortunately, the overflow stops within the allocated chunk of memory, but nevertheless, the bug leads to assertion failures. This issue has been fixed by commit 8b178e6.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The Quicly implementation presents a critical denial of service vulnerability stemming from improper connection state management and buffer handling within its QUIC protocol processing. This vulnerability specifically affects applications using Quicly as a library component rather than the command line tool which already contained the necessary safeguards. The flaw manifests when processing QUIC version 1 packets that contain Connection IDs exceeding the permitted 20-byte limit, despite the implementation's design constraints for version 1 connections.

The technical root cause lies in the inconsistent buffer management between different QUIC versions and the library's packet decoding logic. While QUIC version 1 specifications mandate a maximum Connection ID length of 20 bytes, the Quicly library's packet decoder maintains support for unknown QUIC versions that may accept up to 255-byte Connection IDs. This design creates a mismatch where internal buffers are allocated with only 20-byte capacity for Connection IDs, yet the decoder accepts longer values without proper validation.

This inconsistency results in buffer overflows that corrupt connection state information and trigger assertion failures within the application's memory management subsystem. The vulnerability operates at the intersection of CWE-121 heap-based buffer overflow and CWE-787 out-of-bounds write conditions, where improperly validated input data exceeds allocated buffer boundaries. When applications utilizing Quicly as a library component fail to implement their own enforcement mechanisms, the library's inadequate validation leads to memory corruption that manifests as assertion failures.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise application stability and introduce unpredictable behavior in production environments. Attackers can exploit this weakness by crafting malicious QUIC packets with oversized Connection IDs, causing legitimate applications using Quicly to crash or become unresponsive. The vulnerability affects any application that relies on Quicly's library functionality without implementing additional input validation, making it particularly dangerous in server environments where continuous availability is critical.

The mitigation strategy involves implementing proper input validation within the library itself, ensuring that Connection ID lengths are strictly enforced according to QUIC version specifications. The fix introduced in commit 8b178e6 addresses this by adding mandatory validation checks that prevent oversized Connection IDs from being processed beyond the allocated buffer boundaries. This remediation aligns with ATT&CK technique T1499.004 for resource exhaustion and follows security best practices for input validation as outlined in the OWASP Top 10. The solution ensures that all QUIC version 1 packets are properly validated before processing, eliminating the buffer overflow condition while maintaining compatibility with legitimate connection establishment scenarios.

Responsible

GitHub M

Reservation

05/06/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00278

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!