CVE-2026-11941: CWE-416 Use after free in Cloudflare Quiche
Cloudflare Quiche versions 0.20.0 through 0.29.1 contain two use-after-free vulnerabilities in the connection ID iterator FFI functions. These vulnerabilities occur because the functions return pointers to ConnectionId objects that are freed at the end of the function scope. This affects only applications using these FFI functions, which are disabled by default. Exploitation can cause process crashes or limited information disclosure. A fix is available in version 0.29.2.
AI Analysis
Technical Summary
CVE-2026-11941 describes two use-after-free vulnerabilities in Cloudflare Quiche's connection ID iterator FFI functions: quiche_connection_id_iter_next and quiche_conn_retired_scid_next. These functions return pointers to ConnectionId objects that are dropped at the end of the function scope, leading to dereferencing freed memory. The vulnerabilities affect only applications using these FFI functions, which are disabled by default via a build-time feature flag. The impact includes undefined behavior such as process crashes (denial of service) and potential limited information disclosure or incorrect connection identifier handling. The issue is fixed starting with quiche version 0.29.2.
Potential Impact
Applications calling the affected FFI functions in vulnerable versions may dereference freed memory, causing undefined behavior. This can result in process crashes leading to denial of service. Additionally, depending on allocator state, reads from freed memory may leak adjacent heap contents, causing limited information disclosure or incorrect connection identifier handling.
Mitigation Recommendations
Users should upgrade to quiche version 0.29.2 or later, which contains the fix for these use-after-free vulnerabilities. The FFI API is disabled by default via a build-time feature flag, so applications not using these functions are not affected. No other mitigation is required.
CVE-2026-11941: CWE-416 Use after free in Cloudflare Quiche
Description
Cloudflare Quiche versions 0.20.0 through 0.29.1 contain two use-after-free vulnerabilities in the connection ID iterator FFI functions. These vulnerabilities occur because the functions return pointers to ConnectionId objects that are freed at the end of the function scope. This affects only applications using these FFI functions, which are disabled by default. Exploitation can cause process crashes or limited information disclosure. A fix is available in version 0.29.2.
CVSS v3.1
Score 5.6medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11941 describes two use-after-free vulnerabilities in Cloudflare Quiche's connection ID iterator FFI functions: quiche_connection_id_iter_next and quiche_conn_retired_scid_next. These functions return pointers to ConnectionId objects that are dropped at the end of the function scope, leading to dereferencing freed memory. The vulnerabilities affect only applications using these FFI functions, which are disabled by default via a build-time feature flag. The impact includes undefined behavior such as process crashes (denial of service) and potential limited information disclosure or incorrect connection identifier handling. The issue is fixed starting with quiche version 0.29.2.
Potential Impact
Applications calling the affected FFI functions in vulnerable versions may dereference freed memory, causing undefined behavior. This can result in process crashes leading to denial of service. Additionally, depending on allocator state, reads from freed memory may leak adjacent heap contents, causing limited information disclosure or incorrect connection identifier handling.
Mitigation Recommendations
Users should upgrade to quiche version 0.29.2 or later, which contains the fix for these use-after-free vulnerabilities. The FFI API is disabled by default via a build-time feature flag, so applications not using these functions are not affected. No other mitigation is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cloudflare
- Date Reserved
- 2026-06-10T20:16:34.590Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a3525f5f198dc38c112b67c
Added to database: 6/19/2026, 11:20:21 AM
Last enriched: 6/19/2026, 11:35:02 AM
Last updated: 6/19/2026, 3:55:11 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.