Description
Issue summary: Receiving a QUIC initial packet with an invalid token may
trigger a NULL pointer dereference in the OpenSSL QUIC server with
address validation disabled.

Impact summary: NULL pointer dereference typically causes abnormal termination
of the affected QUIC server process and a Denial of Service.

If the address validation is disabled in the OpenSSL QUIC server
implementation, an attacker can crash the server by sending an initial
packet with an invalid or expired token.

By default, the client address validation is enabled in the OpenSSL QUIC server
implementation, which makes the default configuration not vulnerable
to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with
the SSL_new_listener() call, the address validation is disabled making the
vulnerable code reachable.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference is triggered in the OpenSSL QUIC server when it receives an initial packet with an invalid or expired token while address validation is turned off. This flaw causes the server process to terminate abnormally, resulting in a denial of service. The issue is rooted in missing null checks and is identified as CWE‑476.

Affected Systems

The vulnerability affects OpenSSL implementations that expose a QUIC server and have address validation disabled. Any OpenSSL deployment that uses QUIC must verify that SSL_LISTENER_FLAG_NO_VALIDATE is not enabled; the default configuration has validation on, so the problem is avoided unless the developer explicitly disables it. FIPS modules 4.0, 3.6, 3.5, 3.4, and 3.0 are not impacted because the vulnerable code lies outside the FIPS boundary.

Risk and Exploitability

The flaw is not listed in CISA’s KEV catalog and no EPSS score is available, with a CVSS score of 7.5 indicating high severity, yet publicly documented exploitation is not known. However, the vulnerability can be exploited remotely by an attacker who can send crafted QUIC packets to the target. Because the fault leads to a crash, the impact is a complete loss of service for the affected QUIC endpoint. The risk is high for any publicly reachable QUIC server that has disabled address validation, even though the default configuration is safe.

Generated by OpenCVE AI on June 9, 2026 at 22:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSSL to the latest release that includes the referenced commits.
  • Configure the QUIC server to keep address validation enabled; avoid using SSL_LISTENER_FLAG_NO_VALIDATE when creating listeners.
  • Review your application code to confirm that SSL_LISTENER_FLAG_NO_VALIDATE is not set, and remove any instances that disable validation to prevent the null dereference.

Generated by OpenCVE AI on June 9, 2026 at 22:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Title NULL Pointer Dereference in QUIC Server Initial Packet Handling
Weaknesses CWE-476
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-09T19:37:01.285Z

Reserved: 2026-04-29T09:22:27.967Z

Link: CVE-2026-42764

cve-icon Vulnrichment

Updated: 2026-06-09T19:36:55.758Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:07.693

Modified: 2026-06-09T21:17:16.947

Link: CVE-2026-42764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:15:15Z

Weaknesses