HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-34183Published Modified CNA openssl

CVE-2026-34183: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler

Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
3.4.6
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a heap memory exhaustion vulnerability in the OpenSSL QUIC stack, specifically in the PATH_CHALLENGE frame handler. The flaw is reachable over the network with no authentication required, meaning any remote peer can trigger it. A successful attack causes unbounded heap allocation that crashes the affected QUIC client or server process, resulting in a denial of service. Patched-image rebuilds at versions 3.4.6, 3.5.7, 3.6.3, and 4.0.1 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-34183 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This matching covers both base images pulled from public registries and custom-built images that bundle affected OpenSSL versions.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine priority. Triage routing to the appropriate team inbox within a customer organization is available based on configured ownership rules.

Available
Patch

Patched-image rebuilds targeting OpenSSL 3.4.6, 3.5.7, 3.6.3, or 4.0.1 (whichever matches the affected version in the scanned image) are available on HarborGuard for environments running an affected OpenSSL build. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the target QUIC service over the network and send PATH_CHALLENGE frames to it.

  • AuthenticationNot required

    No credentials or session tokens are needed; any remote peer can send PATH_CHALLENGE frames without authenticating.

  • Victim interactionNot required

    No user action is required; the vulnerable QUIC stack processes incoming frames automatically without any victim interaction.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable, requiring only the ability to flood the target with PATH_CHALLENGE frames, with no race conditions or environmental dependencies to navigate.

Blast Radius

  • Heap memory on the target host is consumed without bound until the operating system or allocator refuses further allocations.
  • The QUIC client or server process terminates abnormally, dropping all in-flight connections and making the service unavailable to legitimate users.
  • Any application state held in the crashed process that had not been persisted is lost.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34183 is active across scanning pipelines and will flag any image containing OpenSSL 3.4.x before 3.4.6, 3.5.x before 3.5.7, 3.6.x before 3.6.3, or 4.0.0 before 4.0.1. For customers who opt into auto-remediation, HarborGuard can rebuild the flagged image at the appropriate fix version, execute a regression test run, and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and waiting in the customer dashboard. Note that OpenSSL FIPS modules across all affected release lines are not impacted by this issue, so images that use only the FIPS module boundary do not require a rebuild.

See how HarborGuard automates this

Fix available

3.4.63.5.73.6.34.0.1
Patch commits
Affected packages
  • OpenSSL / OpenSSL
    < 4.0.1 (from 4.0.0) · < 3.6.3 (from 3.6.0) · < 3.5.7 (from 3.5.0) · < 3.4.6 (from 3.4.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References