OpenSSL
Moderate fix4 remedies
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*, +1 more
Moderate fix4 remedies
- >= 3.4, < 3.4.6
- >= 3.5, < 3.5.7
- >= 3.6, < 3.6.3
- >= 4.0, < 4.0.1
OpenSSL Unbounded Memory Growth Vulnerability in QUIC PATH_CHALLENGE Handler
Vulnerability
Patched
A vulnerability exists in the OpenSSL QUIC implementation, specifically in versions 4.0, 3.6, 3.5, and 3.4. When a remote peer floods the application with PATH_CHALLENGE frames, it can exhaust heap memory. This unbounded memory allocation may lead to an abnormal termination of the application, causing a denial-of-service condition. The issue arises because the QUIC stack allocates a PATH_RESPONSE frame for each PATH_CHALLENGE received. The allocated frame is only freed when the remote peer acknowledges its receipt, which a malicious peer will not do.
Impact
Exploitation of this vulnerability can cause the application to terminate unexpectedly, leading to a denial-of-service condition.
Reproduction
To reproduce this vulnerability, send a large number of PATH_CHALLENGE frames to an OpenSSL application acting as a QUIC server or client. The application must be configured to disable address validation on the QUIC server.
Remediation
Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1. Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.3. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.7. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.6.
Added: Jun 9, 2026, 8:34 PM
Updated: Jun 9, 2026, 8:34 PM
Vulnerability Rating
Custom Algorithm
spread
8.6impact
2.5exploitability
8.4remediation
7.7relevance
9.4threat
4.8urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.