CVE-2026-31812
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk39th percentile - higher than 39% of all known CVEs
Summary
A vulnerability in Quinn before version 0.11.14 allows a remote, unauthenticated attacker to trigger a denial of service (DoS) by sending a crafted QUIC Initial packet with malformed transport parameters. The flaw is due to the use of unwrap() when decoding varints, causing a panic on truncated encoding.
Risk Assessment
An attacker can crash applications using vulnerable Quinn versions with a single packet and no prior authentication, leading to service disruption and potential financial or operational losses.
Recommendation
Immediately upgrade Quinn to version 0.11.14 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.

