CVE-2026-12523: Vulnerability in Cloudflare quiche
Cloudflare quiche's HTTP/3 implementation has a vulnerability that allows resource exhaustion via specially crafted HTTP/3 frames. The issue arises from pre-allocating memory based on declared frame lengths without requiring the attacker to send the full declared data. Additionally, incorrect enforcement of QPACK decompression limits can cause excessive memory usage. This vulnerability is addressed in quiche version 0.29.3. The CVSS score is 7.5, indicating high severity.
AI Analysis
Technical Summary
Cloudflare quiche's HTTP/3 layer is vulnerable to memory exhaustion attacks due to improper handling of frame length declarations and QPACK decompression limits. Specifically, quiche pre-allocates memory based on the declared length of certain HTTP/3 frames without requiring the attacker to send the full amount of data, enabling resource exhaustion. Furthermore, quiche does not correctly enforce QPACK decompression limits, allowing attackers to send HEADERS frames that consume more memory than the configured MAX_FIELD_SECTION_SIZE. This vulnerability can lead to denial of service by exhausting memory resources. The issue is fixed starting with quiche version 0.29.3.
Potential Impact
An attacker can cause a denial of service by exhausting memory resources on systems running vulnerable versions of quiche through specially crafted HTTP/3 frames. This does not impact confidentiality or integrity but results in high availability impact due to resource exhaustion.
Mitigation Recommendations
Users should upgrade to quiche version 0.29.3 or later, which contains the fix for this vulnerability. Since quiche is used as a cloud service component, Cloudflare manages remediation for their cloud-hosted service. Check the vendor advisory for confirmation of patch deployment status.
CVE-2026-12523: Vulnerability in Cloudflare quiche
Description
Cloudflare quiche's HTTP/3 implementation has a vulnerability that allows resource exhaustion via specially crafted HTTP/3 frames. The issue arises from pre-allocating memory based on declared frame lengths without requiring the attacker to send the full declared data. Additionally, incorrect enforcement of QPACK decompression limits can cause excessive memory usage. This vulnerability is addressed in quiche version 0.29.3. The CVSS score is 7.5, indicating high severity.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Cloudflare quiche's HTTP/3 layer is vulnerable to memory exhaustion attacks due to improper handling of frame length declarations and QPACK decompression limits. Specifically, quiche pre-allocates memory based on the declared length of certain HTTP/3 frames without requiring the attacker to send the full amount of data, enabling resource exhaustion. Furthermore, quiche does not correctly enforce QPACK decompression limits, allowing attackers to send HEADERS frames that consume more memory than the configured MAX_FIELD_SECTION_SIZE. This vulnerability can lead to denial of service by exhausting memory resources. The issue is fixed starting with quiche version 0.29.3.
Potential Impact
An attacker can cause a denial of service by exhausting memory resources on systems running vulnerable versions of quiche through specially crafted HTTP/3 frames. This does not impact confidentiality or integrity but results in high availability impact due to resource exhaustion.
Mitigation Recommendations
Users should upgrade to quiche version 0.29.3 or later, which contains the fix for this vulnerability. Since quiche is used as a cloud service component, Cloudflare manages remediation for their cloud-hosted service. Check the vendor advisory for confirmation of patch deployment status.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cloudflare
- Date Reserved
- 2026-06-17T13:35:37.498Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a56616e68715ace43d2700f
Added to database: 07/14/2026, 16:18:54 UTC
Last enriched: 07/14/2026, 16:33:37 UTC
Last updated: 07/15/2026, 02:25:31 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.