MEDIUM 5.3

CVE-2026-40898: quic-go HTTP/3 Trailer Memory Exhaustion DoS

quic-go, a Go-based QUIC protocol library, contains a denial-of-service flaw in its HTTP/3 implementation that allows remote attackers to exhaust server and client memory by sending malicious HTTP trailer fields. The vulnerability stems from inadequate validation of decoded trailer sizes—the library checks the compressed frame size but fails to enforce limits on the decompressed result. An attacker can craft QPACK-encoded headers with numerous unique field names or oversized values in the trailer section, forcing unbounded memory allocation and potentially crashing affected services.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-770
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-40898 exploits a gap in quic-go's HTTP/3 trailer handling. When a QUIC endpoint receives a HEADERS frame containing trailers, the QPACK decoder decompresses the frame and constructs an http.Header object without enforcing RFC 9114 decoded field section size limits. Unlike the earlier CVE-2025-64702 (which targeted HTTP headers), this variant specifically targets trailer sections, which share the same header construction code path. An attacker can send a legitimately-sized QPACK frame that, when decompressed, produces a massive trailer section, triggering memory exhaustion. The symmetric nature of HTTP/3 header handling means both client and server implementations are vulnerable. Version 0.59.1 remedies this by incrementally decoding QPACK entries and immediately validating the cumulative field section size, aborting the stream if any single entry would exceed the RFC-defined limit.

Business impact

Organizations deploying quic-go-based HTTP/3 services face denial-of-service risk. A targeted attacker can render services unavailable by exhausting memory on production servers or disrupting client-side applications. This is particularly concerning for edge infrastructure, CDNs, and load balancers relying on HTTP/3 for performance. While the CVSS score reflects limited direct damage (no confidentiality or integrity impact), the availability impact is acute: crashed services translate directly to business interruption and customer-facing outages.

Affected systems

Any application using quic-go versions prior to 0.59.1 with HTTP/3 enabled is vulnerable. This includes both server-side deployments (HTTP/3 servers listening on QUIC) and client-side implementations (applications using quic-go's HTTP/3 client library). The vulnerability affects all operating systems and architectures supported by Go, making the affected population broad across cloud providers, on-premises infrastructure, and edge deployments. Verify your quic-go version; projects that have not explicitly updated to 0.59.1 or later are exposed.

Exploitability

Exploitation requires no authentication, special privileges, or user interaction—any network-adjacent attacker can send a malicious QUIC packet to a vulnerable endpoint. The attack is trivial to execute: craft a QPACK-encoded HEADERS frame with a large decoded trailer section and send it over QUIC. No specialized tools are required beyond basic QUIC packet construction libraries. The unauthenticated, low-complexity nature of the attack vector (AV:N/AC:L/PR:N/UI:N) makes this practical for opportunistic attackers scanning for vulnerable HTTP/3 services.

Remediation

Upgrade quic-go to version 0.59.1 or later immediately. This version implements RFC 9114 field section size validation for trailers, preventing unbounded memory allocation. Verify the upgrade in your dependency management tool (go.mod for Go projects). Organizations unable to upgrade immediately should disable HTTP/3 or restrict QUIC access to trusted peers via network policies. Monitor memory usage on affected services for signs of exploitation attempts.

Patch guidance

Update go.mod to require quic-go >= v0.59.1 and run 'go get -u github.com/quic-go/[email protected]'. Rebuild and redeploy your application. Verify the version in running services via dependency manifests or runtime version checks. If you manage a package or container image that bundles quic-go, release a patched version and communicate the update to downstream consumers. For applications that indirectly depend on quic-go through another package, ensure your transitive dependencies are resolved to the patched version—use 'go mod graph' to verify.

Detection guidance

Monitor for sudden memory spikes correlated with incoming QUIC traffic, particularly on HTTP/3 endpoints. Packet capture analysis can identify suspicious QPACK frames with unusually large decoded trailer sections. Log QUIC stream aborts and examine correlating trailer sizes. In quic-go logs, watch for errors related to field section size violations if verbose logging is enabled. Network behavior indicating repeated failed connections followed by high memory utilization may signal active exploitation. Implement resource limits (ulimits, container memory caps) to prevent a single exploited process from cascading system-wide impact.

Why prioritize this

Although rated MEDIUM severity, this vulnerability warrants prompt remediation because HTTP/3 adoption is accelerating in production environments and the exploit is trivial to execute. The denial-of-service impact is immediate and measurable—services crash, not degrade gradually. Publicly available QUIC libraries make weaponization straightforward. Organizations with customer-facing HTTP/3 services or mission-critical HTTP/3-dependent applications should treat this as high priority despite the CVSS score.

Risk score, explained

CVSS 5.3 (MEDIUM) reflects the availability-only impact (no confidentiality or integrity breach) and the lack of authentication/privilege requirements. The score accurately captures that a remote attacker can crash services without additional context. However, the score does not account for business context—availability breaches in production services often carry higher operational weight than the score suggests. Security teams should layer this with asset criticality: HTTP/3 on a non-critical internal lab scores lower risk; HTTP/3 on a public-facing API scores significantly higher.

Frequently asked questions

Do I need to update if I'm not using HTTP/3?

No. quic-go can operate without HTTP/3 (it supports QUIC at the transport layer for other applications). However, verify your configuration. If HTTP/3 is not enabled in your quic-go setup, this vulnerability does not apply. Check your application's quic-go initialization code and ensure HTTP/3 handlers are not registered.

Is there a workaround if I cannot upgrade immediately?

Yes, two options: disable HTTP/3 by not registering HTTP/3 handlers or removing HTTP/3 listener setup, or restrict QUIC access via firewall/network policy to only trusted clients. Both limit attack surface while you prepare for upgrade. Neither is a substitute for patching.

Does this affect quic-go clients differently than servers?

No. Both clients and servers construct http.Header objects from decompressed trailers identically. A malicious server can attack a quic-go client by sending crafted trailers; a malicious peer can attack a quic-go server. Clients connecting to untrusted servers should also upgrade.

How does this compare to CVE-2025-64702?

Both are memory exhaustion attacks in quic-go's HTTP/3 implementation. The earlier CVE targeted the header section; this one targets trailers. The fix pattern is identical: enforce decoded field section size limits per RFC 9114. If you patched 2025-64702, ensure you apply the 0.59.1 patch to close the trailer variant.

This analysis is based on CVE-2026-40898 as published and the quic-go project's advisory. Verify patch version applicability against the official quic-go release notes and your project's dependency manifest. CVSS scores represent baseline severity; organizational impact depends on asset criticality, deployment context, and network exposure. This document does not constitute legal or compliance advice. Security teams should validate findings against their specific environment and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).