ALPINE-CVE-2026-34183
- Source
- https://security.alpinelinux.org/vuln/CVE-2026-34183
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-34183.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/ALPINE-CVE-2026-34183
- Upstream
- Published
- 2026-06-09T17:17:05Z
- Modified
- 2026-06-10T09:30:06.010932739Z
- Summary
- [none]
- Details
-
Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames.
Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service.
A remote peer may exhaust heap memory by flooding the local QUIC stack with PATHCHALLENGE frames. The local QUIC stack allocates a PATHRESPONSE frame for every PATHCHALLENGE it receives. The allocated PATHRESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.
- References
Affected packages
Alpine:v3.22 / openssl
Package
- Name
- openssl
- Purl
- pkg:apk/alpine/openssl?arch=source
Alpine:v3.23 / openssl
Package
- Name
- openssl
- Purl
- pkg:apk/alpine/openssl?arch=source