CVE-2026-44435 PUBLISHED

Quicly: Remote Denial of Service via assertion failure when CRYPTO stream handshake data exceeds 32KB

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 16.07.2026 Updated: 17.07.2026

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 937d0e9, an assertion failure is raised when the total number of valid handshake messages received over a CRYPTO stream of a single packet number space exceeds 32KB, causing a Denial of Service. This issue has been fixed by commit 937d0e9.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor h2o
Product quicly
Versions
  • Version < 937d0e9 is affected

References

Problem Types

  • CWE-617: Reachable Assertion CWE
  • CWE-400: Uncontrolled Resource Consumption CWE