VDB
CVE-2026-31812
CVE-2026-31812
PUBLISHED
CVSS 8.699999809265137 HIGH
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.
EPSS 0.24% · 47.1th percentile
Risk Scores
CVSS 4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.24%
47.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| quinn-rs | quinn | < 0.11.14, < 0.11.14, * |
| crates.io | quinn-proto | 0, 0, 0 |
Exploit Intelligence
- CIRCL seen: CVE-2026-31812 (circl-sighting)
- CIRCL seen: CVE-2026-31812 (circl-sighting)
- https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98 (circl)
Timeline
- Mar 9, 2026 CVE Published
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 13, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 16, 2026 EPSS Score
- Mar 17, 2026 EPSS Score
- Mar 17, 2026 Coalition ESS Score
- Mar 17, 2026 Security Advisory
- Mar 18, 2026 EPSS Score
- Mar 19, 2026 EPSS Score