Unrated

Unbounded Memory Growth in the OpenSSL QUIC PATH_CHALLENGE Handler

IdentifiersCVE-2026-34183CWE-770

CVE-2026-34183 is a denial-of-service vulnerability in the integrated OpenSSL QUIC stack. A malicious remote QUIC peer can flood a client or server with packets containing PATH_CHALLENGE frames. For each received PATH_CHALLENGE, the local QUIC implementation allocates a corresponding PATH_RESPONSE frame. That allocation is only released after the peer acknowledges receipt of the PATH_RESPONSE. A malicious peer can intentionally avoid acknowledging those responses, causing unbounded heap growth over time. The issue affects OpenSSL QUIC client and server operation and is described as an unbounded allocation flaw in PATH_CHALLENGE handling.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote peer to exhaust heap memory in an application using the vulnerable OpenSSL QUIC stack as either a client or server. This can lead to abnormal process termination and denial of service. The primary impact described in the available material is resource exhaustion rather than code execution or data exposure.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround is provided in the supplied content. Practical mitigation is to avoid exposing vulnerable OpenSSL QUIC endpoints to untrusted peers until patched, or disable/use alternatives to the affected QUIC functionality where operationally feasible. Vendor advisories cited in the content indicate no workaround is available in some distributions.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release. The provided content indicates fixes are available in OpenSSL 4.0.1, 3.6.3, 3.5.7, and 3.4.6; affected versions include 4.0.0 before 4.0.1, 3.6.0 before 3.6.3, 3.5.0 before 3.5.7, and 3.4.0 before 3.4.6. Downstream vendors may also provide patched package versions. The OpenSSL FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because the QUIC stack is outside the FIPS module boundary.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

security online infoNews

Jun 10, 2026

OpenSSL Security Patches Fix Remote Code Execution Risk

An OpenSSL QUIC stack denial-of-service vulnerability caused by unbounded memory allocation in response to repeated PATH_CHALLENGE frames, allowing remote memory exhaustion and server crash.

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A moderate OpenSSL QUIC denial-of-service vulnerability where a malicious peer can trigger unbounded memory growth by flooding PATH_CHALLENGE frames, exhausting heap memory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34183

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34183

MITRE CWE · CWE-770

cwe.mitre.org

github.com

github.com/openssl/security/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517

github.com

github.com/openssl/security/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac

github.com

github.com/openssl/security/commit/d2e9efbe4900a373227deb136e8665401404ffac

github.com

github.com/openssl/security/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb

openssl-library.org

openssl-library.org/news/secadv/20260609.txt