CVE-2026-42764

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-42764
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42764.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-42764
Downstream
Related
Published
2026-06-09T16:03:25.161Z
Modified
2026-06-11T19:59:10.413873256Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
NULL Pointer Dereference in QUIC Server Initial Packet Handling
Details

Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled.

Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service.

If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token.

By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSLLISTENERFLAGNOVALIDATE is used with the SSLnewlistener() call, the address validation is disabled making the vulnerable code reachable.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42764.json",
    "cwe_ids": [
        "CWE-476"
    ],
    "cna_assigner": "openssl"
}
References

Affected packages

Git / github.com/openssl/openssl

Affected ranges

Type
GIT
Repo
https://github.com/openssl/openssl
Events
Introduced
11b7b6ea3b65a584e1d31408ed1bdb139465cffd
Fixed
1e963a8680ec78ad2072792c7a1a71f3c530bd2e
Introduced
7b371d80d959ec9ab4139d09d78e83c090de9779
Fixed
aae016bfd52fcad2bc9657c2c782cfdf73b1ed5f
Introduced
636dfadc70ce26f2473870570bfd9ec352806b1d
Fixed
8cf17aaeb4599f8af87fefd810b5b5fee90fe69e
Database specific 
{
    "extracted_events": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.1"
        },
        {
            "introduced": "3.6.0"
        },
        {
            "fixed": "3.6.3"
        },
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.7"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

3.*
3.5-POST-CLANG-FORMAT-WEBKIT
3.5-PRE-CLANG-FORMAT-WEBKIT
3.6-POST-CLANG-FORMAT-WEBKIT
3.6-PRE-CLANG-FORMAT-WEBKIT
openssl-3.*
openssl-3.5.0
openssl-3.5.1
openssl-3.5.2
openssl-3.5.3
openssl-3.5.4
openssl-3.5.5
openssl-3.5.6
openssl-3.6.0
openssl-3.6.1
openssl-3.6.2
openssl-4.*
openssl-4.0.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42764.json"