Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
Quinn Denial of Service via Bad QUIC Parameters
CVE-2026-31812
GHSA-6xvm-j4wr-6v98
RUSTSEC-2026-0037
Summary
A bug in Quinn's QUIC protocol handling can cause Quinn to crash if it receives invalid QUIC parameters. This issue can be triggered by a malicious or misconfigured QUIC peer. To protect your system, update Quinn to the latest version, which includes a fix for this issue.
What to do
- Update quinn-proto to version 0.11.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | quinn-proto | <= 0.11.14 | 0.11.14 |
| – | quinn-proto | > 0.5.0 , <= 0.11.14 | 0.11.14 |
Original title
Denial of service in Quinn endpoints
Original description
Receiving QUIC transport parameters containing invalid values could lead to a panic.
Unfortunately the maintainers did not properly assess usage of `unwrap()` calls in the
transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this
issue. We have since added a fuzzing target to cover this code path.
Unfortunately the maintainers did not properly assess usage of `unwrap()` calls in the
transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this
issue. We have since added a fuzzing target to cover this code path.
nvd CVSS4.0
8.7
Vulnerability type
CWE-248
- https://github.com/quinn-rs/quinn/pull/2559
- https://rustsec.org/advisories/RUSTSEC-2026-0037.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-31812
- https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98
- https://github.com/advisories/GHSA-6xvm-j4wr-6v98
- https://github.com/quinn-rs/quinn Product
- https://crates.io/crates/quinn-proto Product
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026