HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42764Published Modified CNA openssl

CVE-2026-42764: NULL Pointer Dereference in QUIC Server Initial Packet Handling

Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
3.5.7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A NULL pointer dereference in OpenSSL's QUIC server initial packet handling allows an unauthenticated remote attacker to crash the affected server process. The vulnerability is reachable over the network without any credentials, but only when address validation has been explicitly disabled via the SSL_LISTENER_FLAG_NO_VALIDATE flag; the default OpenSSL QUIC server configuration is not affected. Successful exploitation causes the QUIC server process to terminate abnormally, resulting in a denial of service. Patched-image rebuilds at versions 3.5.7, 3.6.3, and 4.0.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-42764 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds including the OpenSSL CNA, covering both standard base images and custom-built images that bundle an affected OpenSSL version. Any image layer containing an OpenSSL build in the affected version ranges is flagged automatically in the pipeline scan results.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector, with per-environment compliance policy weighting applied to prioritize findings based on each organization's risk thresholds. Triage results are routed to the appropriate team inbox within each customer org according to their configured notification rules.

Available
Patch

A patched-image rebuild at OpenSSL 3.5.7, 3.6.3, or 4.0.1 (matching the version branch in use) becomes available through HarborGuard once the upstream fix is confirmed present in the base image or dependency layer. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the QUIC server over the network by sending a crafted initial packet to the listening endpoint.

  • AuthenticationNot required

    No credentials or prior session are needed; the malformed packet can be sent by any unauthenticated client.

  • Victim interactionNot required

    No user or administrator action is required; the server processes the incoming packet automatically.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once the vulnerable code path is reachable, requiring only that address validation has been disabled via SSL_LISTENER_FLAG_NO_VALIDATE.

Blast Radius

  • Crashes the QUIC server process, taking down all active QUIC connections served by that process.
  • Makes the service unavailable to all clients until the process is restarted, with no data disclosure or modification.
  • Repeated packet injection can sustain the denial of service across restarts if the vulnerable configuration remains in place.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and patched-image rebuild for CVE-2026-42764 across all scanned environments. Images containing OpenSSL versions in the affected ranges (4.0.0 to pre-4.0.1, 3.6.0 to pre-3.6.3, 3.5.0 to pre-3.5.7) are flagged automatically in pipeline scans. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the appropriate fix version, runs a regression test, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Because the default OpenSSL QUIC configuration is not vulnerable (address validation is on by default), triage should prioritize images whose runtime configuration explicitly sets SSL_LISTENER_FLAG_NO_VALIDATE. Customers who need additional time to patch should consider network-policy isolation to restrict which sources can reach the QUIC listener port as a compensating control while the rebuild is prepared.

See how HarborGuard automates this

Fix available

3.5.73.6.34.0.1
Patch commits
Affected packages
  • OpenSSL / OpenSSL
    < 4.0.1 (from 4.0.0) · < 3.6.3 (from 3.6.0) · < 3.5.7 (from 3.5.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References