Description
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A denial‑of‑service flaw occurs when an unauthenticated remote sender transmits a QUIC Initial packet that contains malformed transport parameters. The quinn implementation decodes varints with unwrap, causing a panic when truncated encoding is encountered; the panic terminates the application process, leading to a full service denial. The weakness is identified as CWE‑248, representing untrusted data causing a crash.

Affected Systems

The vulnerability affects the Quinn Rust library prior to version 0.11.14. Applications that depend on quinn 0.11.13 or earlier and do not apply the patch are at risk. No other vendors or platforms are directly affected.

Risk and Exploitability

The flaw is rated CVSS 8.7, a high severity due to its network reachability and unauthenticated nature. The Exploit Prediction Scoring System indicates a very low exploitation probability (under 1 %). Quinn is not listed in the CISA KEV catalog, suggesting no widespread known exploitation as of the last update. Attackers can trigger the vulnerability with a single malformed QUIC packet; no authentication, no privileged access required.

Generated by OpenCVE AI on April 16, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quinn library to version 0.11.14 or later to apply the fix.
  • Restart the affected services to clear the crash loop until the patch can be applied.
  • Implement network-level rate limiting or firewall rules to restrict or drop malformed QUIC Initial packets from suspicious sources until the patch is deployed.

Generated by OpenCVE AI on April 16, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6xvm-j4wr-6v98 Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing
History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Important

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Quinn-rs
Quinn-rs quinn
Vendors & Products Quinn-rs
Quinn-rs quinn

Tue, 10 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.
Title Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing
Weaknesses CWE-248
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Quinn-rs Quinn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:19:29.150Z

Reserved: 2026-03-09T16:33:42.914Z

Link: CVE-2026-31812

cve-icon Vulnrichment

Updated: 2026-03-11T15:13:04.417Z

cve-icon NVD

Status : Deferred

Published: 2026-03-10T22:16:18.840

Modified: 2026-04-16T14:47:16.733

Link: CVE-2026-31812

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T21:04:36Z

Links: CVE-2026-31812 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses