Security Advisory

CVE-2026-31812

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-10 21:04:36
Last updated 2026-06-30 12:07:47
Assigner GitHub_M
State PUBLISHED

Description

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.