CVE-2026-42764

EUVD-2026-35481

09.06.2026, 17:17

Issue summary: Receiving a QUIC initial packet with an invalid token may
trigger a NULL pointer dereference in the OpenSSL QUIC server with
address validation disabled.

Impact summary: NULL pointer dereference typically causes abnormal termination
of the affected QUIC server process and a Denial of Service.

If the address validation is disabled in the OpenSSL QUIC server
implementation, an attacker can crash the server by sending an initial
packet with an invalid or expired token.

By default, the client address validation is enabled in the OpenSSL QUIC server
implementation, which makes the default configuration not vulnerable
to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with
the SSL_new_listener() call, the address validation is disabled making the
vulnerable code reachable.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
openssl	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
openssl	openssl	4.0.0 ≤ 𝑥 < 4.0.1	CNA
openssl	openssl	3.6.0 ≤ 𝑥 < 3.6.3	CNA
openssl	openssl	3.5.0 ≤ 𝑥 < 3.5.7	CNA

Debian Releases

Debian Product

Codename

openssl

bookworm	3.0.20-1~deb12u1 fixed
bookworm (security)	3.0.19-1~deb12u2 fixed
bullseye	1.1.1w-0+deb11u1 fixed
bullseye (security)	1.1.1w-0+deb11u7 fixed
forky	vulnerable
sid	vulnerable
trixie	vulnerable
trixie (security)	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

openssl

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
questing	Fixed 3.5.3-1ubuntu3.4 released
resolute	Fixed 3.5.5-1ubuntu3.2 released
trusty	not-affected
xenial	not-affected

openssl-fips

jammy	not-affected
noble	not-affected
questing	dne
resolute	dne

openssl1.0

bionic	not-affected
jammy	dne
noble	dne
questing	dne
resolute	dne

nodejs

bionic	not-affected
focal	not-affected
jammy	needed
noble	not-affected
questing	not-affected
resolute	not-affected
trusty	not-affected

edk2

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
questing	not-affected
resolute	needs-triage

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://github.com/openssl/security/commit/5e3ed291b8af0b03d5d3b9e56a1da69a187e9729

https://github.com/openssl/security/commit/a45a0aba8095682c88ff4fc4a784892b8c6f0677

https://github.com/openssl/security/commit/bf29a458c1a231eca87e384c62b9c2553fa57a91

https://openssl-library.org/news/secadv/20260609.txt