PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40898 Quic Go Project CVE debrief

CVE-2026-40898 is a denial-of-service (DoS) vulnerability in quic-go's HTTP/3 client and server implementations. An attacker can cause excessive memory allocation by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. This can lead to memory exhaustion and potentially cause crashes or resource exhaustion. The vulnerability affects both servers and clients due to symmetric header construction. Version 0.59.1 of quic-go enforces RFC 9114 decoded field section size limits for trailers, mitigating the vulnerability.

Vendor
Quic Go Project
Product
Quic-Go
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Users of quic-go's HTTP/3 client and server implementations, particularly those using versions prior to 0.59.1, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

quic-go's HTTP/3 client and server implementations are vulnerable to a denial-of-service (DoS) attack due to excessive memory allocation. An attacker can send a QPACK-encoded HEADERS frame that decodes into a large trailer field section, causing memory exhaustion. This affects both servers and clients. Version 0.59.1 mitigates the vulnerability by enforcing RFC 9114 decoded field section size limits for trailers.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update quic-go to version 0.59.1 or later
  • Monitor for and limit large QPACK-encoded HEADERS frames

Evidence notes

CVE-2026-40898 was published on [cve-org] and detailed further on [nvd].

Official resources

CVE-2026-40898 was published on 2026-06-04T19:16:28.713Z and modified on 2026-06-05T21:08:22.357Z.