Use-After-Free Vulnerabilities in Cloudflare Quiche
CVE-2026-11941

5.6MEDIUM

Key Information:

Vendor: Cloudflare
Status: Quiche
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-11941?

Cloudflare Quiche has been found to have two use-after-free vulnerabilities within its FFI functions: 'quiche_connection_id_iter_next' and 'quiche_conn_retired_scid_next'. These functions return a pointer to a 'ConnectionId' to applications, but the management of the memory is flawed, leading to freed memory dereferencing when the function scope ends. Applications utilizing these functions may experience undefined behavior, potentially causing crashes or denial of service. In some instances, it could also result in information disclosure through neighboring heap contents. To mitigate this issue, users are strongly advised to upgrade to Quiche version 0.29.2, which includes the necessary fix.

Affected Version(s)

Quiche 0.20.0 <= 0.29.1

References

https://github.com/cloudflare/quiche/security/advisories/...

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 10, 2026

CVE-2026-11941 Data

JSON