CVE-2026-31812

Publication date 10 March 2026

Last updated 18 March 2026

Ubuntu priority

Description

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rust-quinn-proto	25.10 questing	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-31812
https://rustsec.org/advisories/RUSTSEC-2026-0037.html
https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98
https://github.com/quinn-rs/quinn/pull/2558

CVE-2026-31812

Description

Status

References

Other references

Access our resources on patching vulnerabilities