CVE-2026-34183

{"id": "CVE-2026-34183", "cveTags": [], "metrics": {}, "published": "2026-06-09T17:17:05.000", "references": [{"url": "https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517", "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac", "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac", "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb", "source": "openssl-security@openssl.org"}, {"url": "https://openssl-library.org/news/secadv/20260609.txt", "source": "openssl-security@openssl.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "openssl-security@openssl.org", "description": [{"lang": "en", "value": "CWE-1325"}]}], "descriptions": [{"lang": "en", "value": "Issue summary: Remote peer may exhaust heap memory of the QUIC\nserver or client by flooding it with packets containing PATH_CHALLENGE\nframes.\n\nImpact summary: A malicious remote peer can cause an unbounded\nmemory allocation which can lead to an abnormal termination of the\napplication acting as a QUIC client or server and a Denial of Service.\n\nA remote peer may exhaust heap memory by flooding the local\nQUIC stack with PATH_CHALLENGE frames. The local QUIC stack\nallocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.\nThe allocated PATH_RESPONSE frame gets freed only when the remote\npeer acknowledges reception of the PATH_RESPONSE frame which will\nnot be done by a malicious peer.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by\nthis issue. The QUIC stack is outside of OpenSSL FIPS module\nboundary."}], "lastModified": "2026-06-10T08:16:23.030", "sourceIdentifier": "openssl-security@openssl.org"}