#Vulnerabilities

CVE-2026-42764: OpenSSL QUIC Server Crash Vulnerability Requires Immediate Review

Vulnerabilities Reporter
4 min read

OpenSSL QUIC servers can be crashed remotely when address validation is disabled. Patch affected OpenSSL 4.0, 3.6, and 3.5 deployments now.

Impact

CVE-2026-42764 affects OpenSSL QUIC server deployments using vulnerable OpenSSL branches with client address validation disabled.

The result is denial of service. A remote attacker can send a QUIC initial packet with an invalid or expired token. The vulnerable server can dereference a NULL pointer. The process can terminate.

Availability is the risk.

The vulnerability is tracked by NVD as CVE-2026-42764. CISA ADP lists the CVSS 3.1 score as 7.5 High, with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. OpenSSL rates the issue Moderate in its June 9, 2026 security advisory.

Affected Products

Affected:

  • OpenSSL 4.0 before 4.0.1
  • OpenSSL 3.6 before 3.6.3
  • OpenSSL 3.5 before 3.5.7

Not affected:

  • OpenSSL 3.4
  • OpenSSL 3.0
  • OpenSSL 1.1.1
  • OpenSSL 1.0.2
  • OpenSSL FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0

The affected code is outside the OpenSSL FIPS module boundary. FIPS validation does not protect a vulnerable QUIC server path if the non-FIPS QUIC code is used.

Technical Details

The bug is a NULL pointer dereference in OpenSSL QUIC server initial packet handling.

QUIC uses UDP. It includes built-in transport security and connection establishment behavior that differs from classic TCP plus TLS. During connection startup, a client sends an initial packet. Servers can require address validation before spending more resources on that client. This helps reduce spoofing and amplification risk.

OpenSSL enables client address validation by default in its QUIC server implementation. That default blocks the vulnerable path.

The risk appears when an application disables address validation by using SSL_LISTENER_FLAG_NO_VALIDATE with SSL_new_listener(). In that configuration, a remote attacker can send an initial packet carrying an invalid or expired token. The affected OpenSSL QUIC server code can reach a NULL pointer dereference and crash the process.

No credentials are required. No user interaction is required. The attack is network reachable.

This is not a confidentiality issue. This is not an integrity issue. It is an availability issue with direct operational impact for exposed QUIC services.

Severity

CISA ADP CVSS 3.1: 7.5 High.

Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

That means:

  • Attack vector: Network
  • Attack complexity: Low
  • Privileges required: None
  • User interaction: None
  • Scope: Unchanged
  • Confidentiality impact: None
  • Integrity impact: None
  • Availability impact: High

OpenSSL assigns Moderate severity because default address validation is enabled. The vulnerable configuration requires an application-level choice to disable validation.

Do not treat that as low priority. Internet-facing QUIC services often sit on latency-sensitive paths. A repeatable process crash can become an outage.

Required Action

Patch immediately where affected OpenSSL versions are deployed with QUIC server functionality.

Upgrade to fixed versions:

  • OpenSSL 4.0 users: upgrade to OpenSSL 4.0.1
  • OpenSSL 3.6 users: upgrade to OpenSSL 3.6.3
  • OpenSSL 3.5 users: upgrade to OpenSSL 3.5.7

Also audit source code and runtime configuration.

Search for SSL_LISTENER_FLAG_NO_VALIDATE. If it is present, confirm why address validation was disabled. Remove it unless there is a documented operational requirement. Re-enable client address validation for QUIC listeners.

For packaged software, apply vendor updates. Do not assume the system OpenSSL version is the only copy in use. Check containers, statically linked services, language runtime bundles, appliances, and custom QUIC gateways.

Mitigation Steps

Use this order:

  1. Identify systems running OpenSSL 4.0, 3.6, or 3.5.
  2. Identify applications using OpenSSL QUIC server APIs.
  3. Search code for SSL_new_listener() and SSL_LISTENER_FLAG_NO_VALIDATE.
  4. Re-enable address validation where possible.
  5. Upgrade OpenSSL to 4.0.1, 3.6.3, or 3.5.7.
  6. Restart dependent services.
  7. Confirm the loaded library version at runtime.
  8. Monitor crash logs for QUIC listener failures and abnormal process termination.

Temporary mitigation is limited. Keeping address validation enabled blocks the known vulnerable path. It is still not a substitute for patching.

If patching is delayed, restrict exposure of affected QUIC services. Rate-limit untrusted UDP traffic where feasible. Use upstream filtering. Watch for repeated QUIC initial packets with invalid or expired tokens followed by service restarts.

Timeline

  • March 27, 2026: Sunwoo Lee, Hyuk Lim, and Seunghyun Yoon of KENTECH reported the issue and submitted the fix.
  • June 9, 2026: OpenSSL published its security advisory.
  • June 9, 2026: NVD published the CVE record.
  • June 9, 2026: CISA ADP added the CVSS 3.1 High score.
  • June 10, 2026: NVD recorded OpenSSL reference updates and continued enrichment.

Fix References

OpenSSL lists upstream fixes in the public repository:

Track the official advisory through OpenSSL security advisories and the NVD CVE entry.

#OpenSSL#CVE#QUIC#Denial of Service#Security Patch

Comments

Loading comments...
Back to Home