CVE-2026-11941 (GCVE-0-2026-11941)

Vulnerability from cvelistv5 – Published: 2026-06-19 09:55 – Updated: 2026-06-19 09:55
VLAI
Title
Use-after-free in connection ID iterator and FFI functions
Summary
Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions. The “quiche_connection_id_iter_next” and “quiche_conn_retired_scid_next” functions would return a pointer to a “ConnectionId” to the applications via function arguments, but the owned “ConnectionId” would be dropped at the end of those functions' scope. Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag. Impact If unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling. Mitigation Users are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue.
Severity
5.6 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
Assigner
References
Impacted products
Vendor Product Version
Cloudflare Quiche Affected: 0.20.0 , ≤ 0.29.1 (semver)
Create a notification for this product.
Date Public
2026-06-19 09:49
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Quiche",
          "repo": "https://github.com/cloudflare/quiche",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThanOrEqual": "0.29.1",
              "status": "affected",
              "version": "0.20.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-06-19T09:49:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions.\u003c/p\u003e\u003cp\u003eThe \u201cquiche_connection_id_iter_next\u201d and \u201cquiche_conn_retired_scid_next\u201d functions would return a pointer to a \u201cConnectionId\u201d to the applications via function arguments, but the owned \u201cConnectionId\u201d would be dropped at the end of those functions\u0027 scope.\u003c/p\u003e\u003cp\u003eOnly applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag.\u003c/p\u003e\u003cp\u003e\u003cspan\u003e\u003cb\u003eImpact\u003cbr\u003e\u003c/b\u003e\u003c/span\u003e\u003cspan\u003eIf unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan\u003e\u003cb\u003eMitigation\u003cbr\u003e\u003c/b\u003e\u003c/span\u003e\u003cspan\u003eUsers are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003e\u003c/b\u003e\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions.\n\n\n\nThe \u201cquiche_connection_id_iter_next\u201d and \u201cquiche_conn_retired_scid_next\u201d functions would return a pointer to a \u201cConnectionId\u201d to the applications via function arguments, but the owned \u201cConnectionId\u201d would be dropped at the end of those functions\u0027 scope.\n\n\n\nOnly applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag.\n\n\n\nImpact\nIf unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling.\n\n\n\nMitigation\nUsers are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use after free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T09:55:54.501Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-mh64-ph39-mrc9"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Use-after-free in connection ID iterator and FFI functions",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2026-11941",
    "datePublished": "2026-06-19T09:55:54.501Z",
    "dateReserved": "2026-06-10T20:16:34.590Z",
    "dateUpdated": "2026-06-19T09:55:54.501Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.