Back to overview

CVE-2026-12707

HIGH
7.5
CVSS 3.1
Description
Summary Cloudflare quiche was discovered to be vulnerable to memory resource exhaustion due to unbounded queuing of post-handshake client migration events. Impact quiche supports the connection migration features described in Section 9 of RFC 9000, which allows a single QUIC connection to survive changes in the network path. Although quiche implements the protections described in Section 9.3 of RFC 9000 to limit server state commitment, it was discovered that the collection of PathEvents, intended to be consumed by applications via the path_event_next() function, was not bounded. Once the QUIC handshake completed, a peer could exploit rapid source address migration in order to cause unbounded queuing of the PathEvent::ReusedSourceConnectionId type. Servers are vulnerable even if active connection migration is disabled. Mitigation: * Applications can call path_event_next() to drain the PathEvent collection, mitigating the attack. * Users are requested to upgrade to quiche 0.29.3 which is the earliest version that prevents excessive queueing of PathEvent::ReusedSourceConnectionId.

Metadata

CVE ID
CVE-2026-12707
State
PUBLISHED
Assigner
cloudflare
Reserved
2026-06-19 10:27 UTC
Published
2026-07-14 15:18 UTC
Last updated
2026-07-14 15:57 UTC
Primary CWE
CWE-770
CWE-770 Allocation of resources without limits or throttling
Vendor / Product
Cloudflare / quiche
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Cloudflare quiche 0.15.0 < 0.29.3
Weakness (CWE)
CWESourceDescription
CWE-770 cna CWE-770 Allocation of resources without limits or throttling
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Back to overview