CVE-2026-34183

EUVD-2026-35479

09.06.2026, 17:17

Issue summary: Remote peer may exhaust heap memory of the QUIC
server or client by flooding it with packets containing PATH_CHALLENGE
frames.

Impact summary: A malicious remote peer can cause an unbounded
memory allocation which can lead to an abnormal termination of the
application acting as a QUIC client or server and a Denial of Service.

A remote peer may exhaust heap memory by flooding the local
QUIC stack with PATH_CHALLENGE frames. The local QUIC stack
allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.
The allocated PATH_RESPONSE frame gets freed only when the remote
peer acknowledges reception of the PATH_RESPONSE frame which will
not be done by a malicious peer.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by
this issue. The QUIC stack is outside of OpenSSL FIPS module
boundary.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
openssl	CNA	UNKNOWN				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
openssl	openssl	4.0.0 ≤ 𝑥 < 4.0.1	CNA
openssl	openssl	3.6.0 ≤ 𝑥 < 3.6.3	CNA
openssl	openssl	3.5.0 ≤ 𝑥 < 3.5.7	CNA
openssl	openssl	3.4.0 ≤ 𝑥 < 3.4.6	CNA

Debian Releases

Debian Product

Codename

openssl

bookworm	3.0.20-1~deb12u1 fixed
bookworm (security)	3.0.19-1~deb12u2 fixed
bullseye	1.1.1w-0+deb11u1 fixed
bullseye (security)	1.1.1w-0+deb11u7 fixed
forky	vulnerable
sid	vulnerable
trixie	vulnerable
trixie (security)	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

openssl

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
questing	Fixed 3.5.3-1ubuntu3.4 released
resolute	Fixed 3.5.5-1ubuntu3.2 released
trusty	not-affected
xenial	not-affected

openssl-fips

jammy	not-affected
noble	not-affected
questing	dne
resolute	dne

openssl1.0

bionic	not-affected
jammy	dne
noble	dne
questing	dne
resolute	dne

nodejs

bionic	not-affected
focal	not-affected
jammy	needed
noble	not-affected
questing	not-affected
resolute	not-affected
trusty	not-affected

edk2

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
questing	needs-triage
resolute	needs-triage

Common Weakness Enumeration

CWE-1325 - Improperly Controlled Sequential Memory Allocation
The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

References

https://github.com/openssl/security/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517

https://github.com/openssl/security/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac

https://github.com/openssl/security/commit/d2e9efbe4900a373227deb136e8665401404ffac

https://github.com/openssl/security/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb

https://openssl-library.org/news/secadv/20260609.txt