Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.1

Firefox: Malicious Sites Can Disable Compression

GHSA-6w86-wgwq-rgq8
Summary

A bug in Firefox's compression system can be exploited by a malicious website to disable compression for a single connection, potentially slowing down browsing. This issue affects all Firefox users, but it's limited to a single connection and does not allow a site to crash the browser or access other connections. To mitigate the issue, Firefox developers are working on a fix, which will be released in a future update.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
neqo-qpack <= 0.22.2
Original title
neqo-qpack has iInteger overflow in qpack dynamic table indexing
Original description
### Summary

An unsanitized qpack index can lead to an integer overflow, panicing in debug mode, accessing the wrong or no dynamic table entry in release mode.

What does this mean for Firefox? Firefox runs Neqo in release mode. A malicious remote can cause its own QUIC connection to fail to use qpack, i.e. compression, or enter an inconsistent state. The remote can not crash Firefox, nor affect other QUIC connections.

### Details

See fuzz report in https://github.com/mozilla/neqo/issues/3406.

### PoC
See test in pull request.

### Impact
All Firefox users. Though vulnerability likely scoped to same connection, i.e. low impact.
ghsa CVSS4.0 5.1
Vulnerability type
CWE-190 Integer Overflow
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026