Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Tue, 10 Mar 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14. | |
| Title | Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing | |
| Weaknesses | CWE-248 | |
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-03-10T21:04:36.812Z
Reserved: 2026-03-09T16:33:42.914Z
Link: CVE-2026-31812
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-03-10T22:16:18.840
Modified: 2026-03-10T22:16:18.840
Link: CVE-2026-31812
Redhat
No data.
OpenCVE Enrichment
No data.