Memory Exhaustion Vulnerability in QUIC Stack of OpenSSL Library
CVE-2026-34183
7.5HIGH
What is CVE-2026-34183?
A vulnerability exists in the QUIC stack of OpenSSL that allows a remote malicious peer to flood a client or server with PATH_CHALLENGE frames, leading to unbounded memory allocation. This occurs because each received PATH_CHALLENGE results in the allocation of a corresponding PATH_RESPONSE frame, which the attacker can prevent from being acknowledged. As a consequence, this can cause the application to terminate abnormally, resulting in a denial of service.
Affected Version(s)
OpenSSL 4.0.0 < 4.0.1
OpenSSL 3.6.0 < 3.6.3
OpenSSL 3.5.0 < 3.5.7