Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-44436— Quicly is vulnerable to connection state corruption

CVSS 7.5 · High EPSS 0.28% · P20

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

VendorProductVersion RangeStatus
h2oquicly< 8b178e6affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-44436

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Quicly is vulnerable to connection state corruption
Source: NVD (National Vulnerability Database)
Vulnerability Description
Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, Quicly is vulnerable to a Denial of Service attack through connection state corruption. In QUIC Invariants, the maximum length of a Connection ID is 255 bytes, while QUIC version 1 further restricts the maximum to 20 bytes. Quicly implements QUIC version 1 and therefore its CID buffers are limited to 20 bytes. However, to be able to respond to unknown versions of QUIC, its packet decoder accepts Connection IDs of up to 255 bytes. As its CID buffers are merely 20 bytes long, Quicly must reject QUIC version 1 packets with Connection IDs longer than that. The command line tool bundled with Quicly has had that check, however the library itself lacked such enforcement. As a consequence, when used by applications that lack their own enforcement, the connection state becoming inconsistent to buffer overrun. Fortunately, the overflow stops within the allocated chunk of memory, but nevertheless, the bug leads to assertion failures. This issue has been fixed by commit 8b178e6.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未进行输入大小检查的缓冲区拷贝(传统缓冲区溢出)
Source: NVD (National Vulnerability Database)
Vulnerability Title
H2O quicly 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
H2O quicly是H2O公司开源的一个 IETF QUIC 协议的实现。 H2O quicly 8b178e6之前版本存在缓冲区错误漏洞,该漏洞源于连接状态损坏,可能导致缓冲区溢出,进而导致拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
h2oquicly < 8b178e6 -

II. Public POCs for CVE-2026-44436

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 9275 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-44436

登录查看更多情报信息。

Patches & Fixes for CVE-2026-44436 (1)

Vendor Advisories for CVE-2026-44436 (1)

Same Patch Batch · h2o · 2026-07-16 · 7 CVEs total

CVE-2026-444357.5 HIGHQuicly: Remote Denial of Service via assertion failure when CRYPTO stream handshake data e
CVE-2026-444537.5 HIGHh2o is vulnerable to musl libc stack overflow
CVE-2026-543407.5 HIGHh2o has HTTP/2 state amplification
CVE-2026-444525.9 MEDIUMh2o is vulnerable to heap overrun
CVE-2026-444335.3 MEDIUMQuicly is vulnerable to memory exhaustion
CVE-2026-444345.3 MEDIUMQuicly is vulnerable to stateless reset injection

IV. Related Vulnerabilities

V. Comments for CVE-2026-44436

No comments yet


Leave a comment