quic-go Denial-of-Service Vulnerability via Slowloris Variant in MTU Discovery

Vulnerability

A denial-of-service vulnerability has been identified in quic-go versions through 0.27.0. This issue allows remote attackers to cause excessive CPU consumption by sending incomplete QUIC or HTTP/3 requests, exploiting a Slowloris-like technique. The vulnerability arises from a misinterpretation of the MTU Discovery service in the file mtu_discoverer.go, leading to an overflow of the probe timer.

Impact

Exploitation of this vulnerability causes increased CPU usage, potentially leading to performance degradation or service disruption.

Added: Mar 11, 2026, 7:04 PM

Updated: Mar 11, 2026, 7:04 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.7

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.7

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

quic-go Denial-of-Service Vulnerability via Slowloris Variant in MTU Discovery

Vulnerability

Impact

Affected Products

lucas-clemente quic-go

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating