Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
QUIC transport protocol in Quinn can be crashed remotely
DEBIAN-CVE-2026-31812
Summary
A remote attacker can crash applications using Quinn by sending a specially crafted packet. This can cause the application to stop working temporarily. Update Quinn to version 0.11.14 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | rust-quinn | All versions | – |
| debian | rust-quinn | All versions | – |
| debian | rust-quinn | All versions | – |
| debian | rust-quinn-proto | All versions | – |
| debian | rust-quinn-proto | All versions | – |
| debian | rust-quinn-proto | All versions | – |
Original title
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using...
Original description
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.
osv CVSS4.0
8.3
- https://security-tracker.debian.org/tracker/CVE-2026-31812 Vendor Advisory
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 13 Mar 2026