CVE-2026-34183 - Vulnerability Details

Description

Issue summary: Remote peer may exhaust heap memory of the QUIC
server or client by flooding it with packets containing PATH_CHALLENGE
frames.

Impact summary: A malicious remote peer can cause an unbounded
memory allocation which can lead to an abnormal termination of the
application acting as a QUIC client or server and a Denial of Service.

A remote peer may exhaust heap memory by flooding the local
QUIC stack with PATH_CHALLENGE frames. The local QUIC stack
allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.
The allocated PATH_RESPONSE frame gets freed only when the remote
peer acknowledges reception of the PATH_RESPONSE frame which will
not be done by a malicious peer.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by
this issue. The QUIC stack is outside of OpenSSL FIPS module
boundary.

Published: 2026-06-09

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Remote peers can flood an OpenSSL QUIC stack with PATH_CHALLENGE frames, causing the local system to allocate a PATH_RESPONSE frame for each challenge. Because the remote peer never acknowledges the responses, the allocated frames persist on the heap, leading to unbounded memory growth that can eventually exhaust the server or client memory and cause the application to terminate unexpectedly. This weakness permits an attacker to trigger a denial‑of‑service condition without requiring elevated privileges on the target system.

Affected Systems

All OpenSSL implementations that include a QUIC stack, except those built with the FIPS modules 4.0, 3.6, 3.5, 3.4, and 3.0, are vulnerable. The specific affected versions are not enumerated in the advisory; any build that has the unpatched QUIC path challenge handler is at risk until the official fix is applied.

Risk and Exploitability

The severity of an exploitation attempt depends on the ability of a remote party to send large volumes of QUIC PATH_CHALLENGE frames to the vulnerable host. With no authentication required, an attacker can initiate a QUIC connection over the network and repeatedly issue the frames. The resulting memory exhaustion can bring the affected application to a halt. Although no EPSS score is available and the vulnerability is not listed in CISA's KEV catalog, the unbounded memory allocation and lack of mitigation make the risk high, especially for systems that expose QUIC endpoints to the internet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenSSL

unaffected

Version	Status	Constraints
`4.0.0`	affected	< 4.0.1
`3.6.0`	affected	< 3.6.3
`3.5.0`	affected	< 3.5.7
`3.4.0`	affected	< 3.4.6

No data.

Vendor Product Confidence Versions

Openssl

100%

Version	Status	Scheme	Platform
`[4.0.0,4.0.1)`	affected	semver	—
`[3.6.0,3.6.3)`	affected	semver	—
`[3.5.0,3.5.7)`	affected	semver	—
`[3.4.0,3.4.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the OpenSSL patch that addresses CVE-2026-34183 by installing the most recent release containing the committed changes.
If an immediate update is not feasible, disable or block QUIC traffic on the affected host to prevent an attacker from engaging the vulnerable path handler.
Observe system resource usage for abnormal heap growth and configure alerts so that high memory consumption triggers shutdown or quarantine of the QUIC service until the patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6335-1	openssl security update
Ubuntu USN	USN-8414-1	OpenSSL vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517
https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac
https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac
https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb
https://openssl-library.org/news/secadv/20260609.txt

History

Wed, 10 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
References	https://github.com/openssl/security/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517 https://github.com/openssl/security/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac https://github.com/openssl/security/commit/d2e9efbe4900a373227deb136e8665401404ffac https://github.com/openssl/security/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb

Wed, 10 Jun 2026 08:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517 https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb

Tue, 09 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openssl Openssl openssl
Vendors & Products		Openssl Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.
Title		Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
Weaknesses		CWE-1325
References		https://github.com/openssl/security/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517 https://github.com/openssl/security/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac https://github.com/openssl/security/commit/d2e9efbe4900a373227deb136e8665401404ffac https://github.com/openssl/security/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb https://openssl-library.org/news/secadv/20260609.txt

Subscriptions

Openssl Openssl

MITRE

Status: PUBLISHED

Assigner: openssl

Published: 2026-06-09T16:03:23.623Z

Updated: 2026-06-10T07:47:56.298Z

Reserved: 2026-03-26T09:29:36.013Z

Link: CVE-2026-34183

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:05.000

Modified: 2026-06-10T08:16:23.030

Link: CVE-2026-34183

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T18:45:06Z

Weaknesses

CWE-1325

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object