Description
Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets.



To remediate this issue, users should upgrade to v1.8.2.
Published: 2026-06-10
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from an unbounded memory allocation in the CRYPTO frame reassembler of s2n-quic. An unauthenticated remote actor can transmit specially crafted QUIC Initial packets that trigger repeated allocation of memory without bounds, leading to exhaustion of system resources. This manifests as a denial of service, degrading the availability of the affected service. The weakness corresponds to uncontrolled memory allocation, classified under CWE‑770.

Affected Systems

The affected product is AWS s2n‑quic. All released versions prior to 1.8.2 are vulnerable; the fix is included in version 1.8.2 and later.

Risk and Exploitability

The CVSS score of 6.9 reflects a Medium severity, and while the EPSS score is not available, the vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is remote and unauthenticated: a threat actor can send crafted QUIC Initial packets over the network to a target lacking protection for the CRYPTO frame reassembler. If successful, the attacker can force the target to allocate excessive memory, consuming resources and causing service interruption.

Generated by OpenCVE AI on June 10, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AWS s2n‑quic to version 1.8.2 or later, which implements bounds checking for the CRYPTO frame reassembler.
  • If an upgrade cannot be applied immediately, block or throttle QUIC traffic from external sources to limit the rate of incoming Initial packets.
  • Configure the application or infrastructure to monitor memory consumption and alert when anomalous spikes occur, enabling rapid response to potential exploitation attempts.

Generated by OpenCVE AI on June 10, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2.
Title Excessive memory allocation in s2n-quic
First Time appeared Aws
Aws s2n-quic
Weaknesses CWE-770
CPEs cpe:2.3:a:aws:s2n-quic:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws s2n-quic
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Aws S2n-quic
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-10T19:14:59.133Z

Reserved: 2026-06-03T13:13:46.286Z

Link: CVE-2026-10740

cve-icon Vulnrichment

Updated: 2026-06-10T19:14:32.421Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T19:16:32.470

Modified: 2026-06-10T20:19:35.917

Link: CVE-2026-10740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:30:28Z

Weaknesses