Description
quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Attacks trigger excessive memory allocation in quic-go by sending a QPACK-encoded HEADERS frame that expands into a large trailer field section with many unique names or large values. The implementation builds an http.Header for the request or response, enforcing only the compressed frame size limit, not the decoded field section size. The result is memory exhaustion, potentially leading to crashes or performance degradation. Both clients and servers are affected since trailer construction is symmetric.

Affected Systems

The vulnerability exists in quic-go, the QUIC protocol implementation in Go, for versions prior to 0.59.1 in both HTTP/3 client and server code. Upgrading to version 0.59.1 or later applies RFC‑9114 limits on the decoded trailer field section, mitigating the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity; the EPSS score is unavailable, and the vulnerability is not listed in CISA KEV. Attackers can exploit the flaw over the network by sending a malicious QUIC stream containing a crafted HEADERS frame, which is inferred as the likely attack vector from the description. If successful, the attacker can cause a denial‑of‑service through resource exhaustion on the target host.

Generated by OpenCVE AI on June 4, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to quic-go v0.59.1 or later to apply the RFC‑9114 size limits for trailer field sections
  • Ensure that deployments are rebuilt or updated to the patch level before starting new services or updating existing ones
  • If an immediate upgrade is not possible, configure application‑level resource limits on QUIC connections to bound memory usage and monitor for abnormal trailer sizes

Generated by OpenCVE AI on June 4, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vvgj-x9jq-8cj9 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion
History

Thu, 04 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded.
Title quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T18:40:44.304Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40898

cve-icon Vulnrichment

Updated: 2026-06-04T18:40:33.584Z

cve-icon NVD

Status : Received

Published: 2026-06-04T19:16:28.713

Modified: 2026-06-04T19:16:28.713

Link: CVE-2026-40898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:30:21Z

Weaknesses