CVE-2026-34183 - Vulnerability Details

- Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler

Description

Issue summary: Remote peer may exhaust heap memory of the QUIC
server or client by flooding it with packets containing PATH_CHALLENGE
frames.

Impact summary: A malicious remote peer can cause an unbounded
memory allocation which can lead to an abnormal termination of the
application acting as a QUIC client or server and a Denial of Service.

A remote peer may exhaust heap memory by flooding the local
QUIC stack with PATH_CHALLENGE frames. The local QUIC stack
allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.
The allocated PATH_RESPONSE frame gets freed only when the remote
peer acknowledges reception of the PATH_RESPONSE frame which will
not be done by a malicious peer.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by
this issue. The QUIC stack is outside of OpenSSL FIPS module
boundary.

Published: 2026-06-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Remote peers can flood an OpenSSL QUIC stack with PATH_CHALLENGE frames, causing the local system to allocate a PATH_RESPONSE frame for each challenge. Because the remote peer never acknowledges the responses, the allocated frames persist on the heap, leading to unbounded memory growth that can eventually exhaust server or client memory and cause the application to terminate unexpectedly. This weakness—an unchecked memory allocation flaw (CWE‑1325) and an unbounded allocation issue (CWE‑770)—permits an attacker to trigger a denial‑of‑service condition without requiring elevated privileges on the target system.

Affected Systems

All OpenSSL implementations that include a QUIC stack, except those built with the FIPS modules 4.0, 3.6, 3.5, 3.4, and 3.0, are vulnerable. The specific affected versions are not enumerated in the advisory; any build that has the unpatched QUIC path challenge handler is at risk until the official fix is applied.

Risk and Exploitability

Remote peers can flood a vulnerable OpenSSL QUIC stack with PATH_CHALLENGE frames, causing each challenge to trigger allocation of a PATH_RESPONSE that is never freed because the malicious peer never acknowledges it. This unbounded heap growth can exhaust system memory and lead to termination of the application, creating a denial‑of‑service condition. The CVSS score of 7.5 indicates a high severity, while the EPSS < 1% suggests a low probability of active exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, but the lack of authentication and the ability to force arbitrary memory consumption make it a significant risk for exposed QUIC endpoints. The attack vector is straightforward: an attacker initiates a QUIC connection and repeatedly sends PATH_CHALLENGE frames without reciprocity. The flaw involves both unchecked memory allocation (CWE‑1325) and unbounded memory allocation (CWE‑770).

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenSSL

unaffected

Version	Status	Constraints
`4.0.0`	affected	< 4.0.1
`3.6.0`	affected	< 3.6.3
`3.5.0`	affected	< 3.5.7
`3.4.0`	affected	< 3.4.6

Configuration 1 [-]

OR	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl:4.0.0:-::::::

No data.

Vendor Product Confidence Versions

Openssl

100%

Version	Status	Scheme	Platform
`[4.0.0,4.0.1)`	affected	semver	—
`[3.6.0,3.6.3)`	affected	semver	—
`[3.5.0,3.5.7)`	affected	semver	—
`[3.4.0,3.4.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update OpenSSL to a version that includes the commit fixing the unbounded memory allocation in the QUIC PATH_CHALLENGE handler (e.g., the latest release after commit 5b306efb0). This patch implements checks for CWE‑1325 and CWE‑770 by ensuring that allocated PATH_RESPONSE frames are properly freed or bounded.
If updating is not feasible in a timely manner, disable QUIC support in the application or configure it to reject or drop PATH_CHALLENGE frames from untrusted peers, thereby eliminating the attack vector that triggers the CWE‑1325 flaw.
Implement network‑level rate limiting or filtering for QUIC PATH_CHALLENGE frames, and monitor heap usage for abnormal growth to detect potential exploitation early.

Generated by OpenCVE AI on June 11, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6335-1	openssl security update
Ubuntu USN	USN-8414-1	OpenSSL vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00511.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517
https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac
https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac
https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb
https://nvd.nist.gov/vuln/detail/CVE-2026-34183
https://openssl-library.org/news/secadv/20260609.txt
https://www.cve.org/CVERecord?id=CVE-2026-34183

History

Mon, 15 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:openssl:openssl:::::::: cpe:2.3:a:openssl:openssl:4.0.0:-::::::

Thu, 11 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2026-34183 https://www.cve.org/CVERecord?id=CVE-2026-34183
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 10 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
References	https://github.com/openssl/security/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517 https://github.com/openssl/security/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac https://github.com/openssl/security/commit/d2e9efbe4900a373227deb136e8665401404ffac https://github.com/openssl/security/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb

Wed, 10 Jun 2026 08:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517 https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb

Tue, 09 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openssl Openssl openssl
Vendors & Products		Openssl Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.
Title		Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
Weaknesses		CWE-1325
References		https://github.com/openssl/security/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517 https://github.com/openssl/security/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac https://github.com/openssl/security/commit/d2e9efbe4900a373227deb136e8665401404ffac https://github.com/openssl/security/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb https://openssl-library.org/news/secadv/20260609.txt

Subscriptions

Openssl Openssl

MITRE

Status: PUBLISHED

Assigner: openssl

Published: 2026-06-09T16:03:23.623Z

Updated: 2026-06-10T15:51:12.557Z

Reserved: 2026-03-26T09:29:36.013Z

Link: CVE-2026-34183

Vulnrichment

Updated: 2026-06-10T15:50:14.868Z

NVD

Status : Analyzed

Published: 2026-06-09T17:17:05.000

Modified: 2026-06-15T18:12:39.050

Link: CVE-2026-34183

Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-34183 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-11T02:00:16Z

Weaknesses

CWE-1325
Improperly Controlled Sequential Memory Allocation
CWE-770
Allocation of Resources Without Limits or Throttling

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object