HIGH 7.5

CVE-2026-42764: OpenSSL QUIC Server NULL Pointer Denial of Service Vulnerability

OpenSSL's QUIC server implementation contains a flaw that can crash the server when it receives specially crafted initial connection packets. This only affects servers that have explicitly disabled address validation—a non-default setting. An unauthenticated attacker on the network can exploit this by sending a QUIC initial packet with an invalid token, causing the server process to terminate abruptly and become unavailable. The vulnerability does not lead to data theft or unauthorized access, only service disruption.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42764 is a NULL pointer dereference in OpenSSL's QUIC server when processing initial packets with invalid tokens. The vulnerability exists in the token validation code path and is reachable only when the SSL_LISTENER_FLAG_NO_VALIDATE flag is used with SSL_new_listener(), disabling client address validation. The default configuration includes address validation, which prevents the vulnerable code path from being triggered. The flaw resides outside the OpenSSL FIPS module boundary, so FIPS-validated modules in versions 3.0 through 4.0 are unaffected.

Business impact

Organizations running QUIC services with address validation disabled face availability risk. A single malformed packet can terminate the QUIC listener process, requiring manual restart and causing service interruption. In production environments where QUIC is relied upon for HTTP/3 or other protocols, this becomes a denial-of-service vector that could impact user-facing services. The risk is amplified in edge or load-balancing scenarios where QUIC listeners handle high traffic volumes without redundancy.

Affected systems

OpenSSL versions with QUIC support (3.0 and later) are potentially affected, but only when configured with SSL_LISTENER_FLAG_NO_VALIDATE. Standard OpenSSL deployments and applications using the default listener configuration are not vulnerable. FIPS modules in versions 3.0, 3.4, 3.5, 3.6, and 4.0 are explicitly unaffected because the flaw is outside the FIPS module boundary.

Exploitability

Exploitation requires network access to send a QUIC initial packet—no authentication or user interaction is needed. The attack is trivial to execute: any network-adjacent attacker with the ability to reach the QUIC listener can craft and transmit the malicious packet. The barrier to exploitation is low, making this a practical denial-of-service threat for any exposed QUIC server that has disabled address validation. However, the non-default nature of the vulnerable configuration limits the number of affected deployments.

Remediation

The primary mitigation is to ensure address validation remains enabled (the default behavior). Do not use SSL_LISTENER_FLAG_NO_VALIDATE unless there is a specific technical requirement. If address validation must be disabled, isolate the QUIC listener behind a network boundary or implement external packet filtering to restrict initial packet sources. Monitor vendor advisories for patched OpenSSL versions that address this NULL pointer dereference. When patches become available, prioritize upgrading QUIC-enabled OpenSSL deployments.

Patch guidance

Check the OpenSSL security advisory and release notes for the fixed versions addressing CVE-2026-42764. Verify the patch versions against the official OpenSSL project announcements before deployment. Apply patches to all systems running QUIC-enabled OpenSSL with custom listener configurations. Test in a non-production environment first, particularly if SSL_LISTENER_FLAG_NO_VALIDATE is in use, to confirm stability. Standard deployments using default configurations should upgrade as part of regular patching cycles.

Detection guidance

Monitor for unexpected QUIC listener process terminations or crashes, particularly if they correlate with sudden bursts of network traffic on the QUIC port. Implement network-based detection for malformed QUIC initial packets by analyzing packet headers for invalid token fields. Review application logs and system logs for crashes or core dumps involving OpenSSL's QUIC code. Organizations that have enabled SSL_LISTENER_FLAG_NO_VALIDATE should audit their infrastructure to document which systems use this configuration and prioritize them for immediate attention.

Why prioritize this

This vulnerability merits high attention due to its ease of exploitation (network-accessible, no auth required), immediate availability impact, and the straightforward nature of the attack. The HIGH CVSS score (7.5) reflects the severity of denial-of-service impact. While the non-default nature of the vulnerable configuration limits affected deployments, any organization that has explicitly disabled address validation is exposed and should remediate urgently. The simplicity of crashing a QUIC server with a single packet makes this a practical denial-of-service threat.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) is driven by network exploitability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), low attack complexity, and high availability impact (A:H). The score appropriately reflects that any unauthenticated attacker can remotely crash the service without special conditions. The absence of confidentiality and integrity impact (C:N/I:N) prevents a critical rating, as the flaw only denies service—it does not leak data or enable unauthorized access. For organizations using the vulnerable configuration, the practical risk is high despite the theoretical limit of a HIGH score.

Frequently asked questions

Is my OpenSSL QUIC deployment vulnerable by default?

No. The vulnerability requires SSL_LISTENER_FLAG_NO_VALIDATE to be explicitly set when calling SSL_new_listener(). Standard OpenSSL QUIC deployments use address validation by default and are not vulnerable. You are only at risk if your application or configuration intentionally disables address validation.

Can this vulnerability be exploited without network access?

No. An attacker must be able to send network packets to the QUIC listener port. However, no authentication, special privileges, or user interaction is required—any network-adjacent attacker can craft and transmit a malicious QUIC initial packet.

What are the consequences of exploitation?

The server process crashes and becomes unavailable, causing a denial of service. Users cannot establish new QUIC connections until the process is restarted. However, the attacker cannot read data, modify traffic, or gain remote code execution—the impact is limited to service interruption.

Do I need to patch if address validation is enabled?

Patching is still recommended as part of routine security maintenance, but your immediate risk is low if you are using the default configuration. Prioritize patching systems that explicitly disable address validation. Verify through your configuration management that address validation has not been inadvertently disabled in your QUIC listener setup.

This analysis is based on publicly disclosed vulnerability information current as of the publication date. Verify all patch version numbers and affected software versions against the official OpenSSL security advisory before implementing any remediation. The vulnerability details, CVSS score, and affected versions are derived from authoritative sources; however, individual environment configurations may vary. Organizations should conduct their own assessment of exposure and apply patches according to their risk management policies. No exploit code or weaponized proof-of-concept details are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).