Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler_CVE-2026-34183

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Issue summary: Remote peer may exhaust heap memory of the QUIC
server or client by flooding it with packets containing PATH_CHALLENGE
frames.

Impact summary: A malicious remote peer can cause an unbounded
memory allocation which can lead to an abnormal termination of the
application acting as a QUIC client or server and a Denial of Service.

A remote peer may exhaust heap memory by flooding the local
QUIC stack with PATH_CHALLENGE frames. The local QUIC stack
allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.
The allocated PATH_RESPONSE frame gets freed only when the remote
peer acknowledges reception of the PATH_RESPONSE frame which will
not be done by a malicious peer.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by
this issue. The QUIC stack is outside of OpenSSL FIPS module
boundary.

Basic Information

ID CVE-2026-34183

Source openssl

Published Jun 9, 2026 at 16:03

Modified Jun 10, 2026 at 15:51

Affected Product

Vendor OpenSSL

Product OpenSSL

Version 4.0.0

Affected Versions OpenSSL OpenSSL 4.0.0
OpenSSL OpenSSL 3.6.0
OpenSSL OpenSSL 3.5.0
OpenSSL OpenSSL 3.4.0

CWE Classification

CWE-1325

References

{
    "lastseen": "",
    "description": "Issue summary: Remote peer may exhaust heap memory of the QUIC\nserver or client by flooding it with packets containing PATH_CHALLENGE\nframes.\n\nImpact summary: A malicious remote peer can cause an unbounded\nmemory allocation which can lead to an abnormal termination of the\napplication acting as a QUIC client or server and a Denial of Service.\n\nA remote peer may exhaust heap memory by flooding the local\nQUIC stack with PATH_CHALLENGE frames. The local QUIC stack\nallocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.\nThe allocated PATH_RESPONSE frame gets freed only when the remote\npeer acknowledges reception of the PATH_RESPONSE frame which will\nnot be done by a malicious peer.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by\nthis issue. The QUIC stack is outside of OpenSSL FIPS module\nboundary.",
    "published": "2026-06-09T16:03:23.623Z",
    "modified": "2026-06-10T15:51:12.557Z",
    "type": "cve",
    "title": "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler",
    "source": "openssl",
    "references": "https://openssl-library.org/news/secadv/20260609.txt\nhttps://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb\nhttps://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517\nhttps://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac\nhttps://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac",
    "id": "CVE-2026-34183",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1325"
    ],
    "cvelist": null,
    "sourceData": "OpenSSL OpenSSL 4.0.0\nOpenSSL OpenSSL 3.6.0\nOpenSSL OpenSSL 3.5.0\nOpenSSL OpenSSL 3.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenSSL",
    "version": "4.0.0",
    "vendor": "OpenSSL",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}