CVE-2026-11941 - Vulnerability Details

Description

Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions.

The “quiche_connection_id_iter_next” and “quiche_conn_retired_scid_next” functions would return a pointer to a “ConnectionId” to the applications via function arguments, but the owned “ConnectionId” would be dropped at the end of those functions' scope.

Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag.

Impact
If unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling.

Mitigation
Users are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue.

Published: 2026-06-19

Score: 5.6 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Cloudflare Quiche contains a use‑after‑free vulnerability in two FFI iterator functions. These functions return a pointer to a ConnectionId that is freed at the end of the function’s scope, resulting in the application dereferencing freed memory. The most common consequence is a process crash, but depending on the allocator state, the read may expose adjacent heap data, yielding limited information disclosure or incorrect handling of connection identifiers.

Affected Systems

The vulnerability is limited to the Cloudflare Quiche library. Only applications that incorporate the quiche_connection_id_iter_next or quiche_conn_retired_scid_next FFI functions are affected, and these functions are disabled by default through a build‑time feature flag. Users running Quiche versions older than 0.29.2 that have these functions enabled are at risk.

Risk and Exploitability

With a CVSS score of 5.6, the vulnerability has moderate severity. No EPSS data is available, and it is not listed in CISA KEV, indicating no documented exploitation. Exploitation requires the application to link to the vulnerable FFI functions, so an attacker would need interactive access to the application environment or supply malicious input that triggers the deallocated pointer dereference. The primary impact remains denial of service through crash, with a secondary risk of minimal data exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cloudflare

Quiche

unaffected

Version	Status	Constraints
`0.20.0`	affected	≤ 0.29.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Quiche to version 0.29.2 or later, which contains the patch for the use‑after‑free bug.
Disable the FFI API for connection ID iterators by removing the build‑time feature flag or ensuring the functions are not called if the feature is not needed.
Audit your application code to confirm that quiche_connection_id_iter_next and quiche_conn_retired_scid_next are not used, or replace them with safe alternatives that avoid dereferencing freed memory.

Generated by OpenCVE AI on June 19, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/cloudflare/quiche/security/advisories/GHSA-mh64-ph39-mrc9

History

Fri, 19 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions. The “quiche_connection_id_iter_next” and “quiche_conn_retired_scid_next” functions would return a pointer to a “ConnectionId” to the applications via function arguments, but the owned “ConnectionId” would be dropped at the end of those functions' scope. Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag. Impact If unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling. Mitigation Users are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue.
Title		Use-after-free in connection ID iterator and FFI functions
Weaknesses		CWE-416
References		https://github.com/cloudflare/quiche/security/advisories/GHSA-mh64-ph39-mrc9
Metrics		cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2026-06-19T09:55:54.501Z

Updated: 2026-06-19T09:55:54.501Z

Reserved: 2026-06-10T20:16:34.590Z

Link: CVE-2026-11941

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T12:30:06Z

Weaknesses

CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object