CVE-2026-31812

NameCVE-2026-31812
DescriptionQuinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-quinn-proto (PTS)bookworm0.9.2-2vulnerable
trixie0.11.9-1vulnerable
forky0.11.13-1vulnerable
sid0.11.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-quinn-protosource(unstable)0.11.14-1

Notes

https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98
https://github.com/quinn-rs/quinn/pull/2558
Fixed by: https://github.com/quinn-rs/quinn/commit/655a8ad094e4fad463c90c4666c62db7de56384b
Search for package or bug name: Reporting problems