High

Unbounded Memory Growth in the OpenSSL QUIC PATH_CHALLENGE Handler

IdentifiersCVE-2026-34183CWE-770

CVE-2026-34183 is a denial-of-service vulnerability in the OpenSSL integrated QUIC stack. A malicious remote QUIC peer can exhaust heap memory by flooding a QUIC client or server with packets containing PATH_CHALLENGE frames. For each received PATH_CHALLENGE, the local QUIC stack allocates a corresponding PATH_RESPONSE frame. That PATH_RESPONSE allocation is only freed after the remote peer acknowledges receipt of the PATH_RESPONSE. A malicious peer can intentionally avoid acknowledging those responses, causing unbounded accumulation of allocated PATH_RESPONSE frames and resulting in uncontrolled heap growth. The issue affects OpenSSL QUIC implementations, including affected branches noted in the supporting content: 4.0.0 before 4.0.1, 3.6.0 before 3.6.3, 3.5.0 before 3.5.7, and 3.4.0 before 3.4.6. The OpenSSL FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because the QUIC stack is outside the FIPS module boundary.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote peer to drive unbounded heap allocation in an application acting as either a QUIC server or QUIC client. This can exhaust available memory, trigger abnormal process termination or crashes, and cause denial of service. The provided content does not indicate code execution or confidentiality/integrity impact; the documented impact is resource exhaustion leading to service disruption.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or avoiding use of the vulnerable OpenSSL QUIC functionality where operationally feasible, and prefer non-QUIC/TCP-based TLS paths for exposed services. Limit QUIC exposure to trusted peers or restricted networks where possible, and use network-level rate limiting or filtering to reduce the ability of remote peers to flood endpoints with PATH_CHALLENGE frames. No complete workaround is identified in the provided content.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release. Based on the provided content, fixes are available in OpenSSL 4.0.1, 3.6.3, 3.5.7, and 3.4.6. Downstream vendors have also shipped patched packages, including Alpine Linux releases 3.24.1, 3.23.5, and 3.22.5, and Debian package updates referenced in the supplied advisories. Apply vendor patches and restart affected applications or services using the vulnerable OpenSSL QUIC stack after updating.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

alpinelinuxNews

Jun 21, 2026

Alpine 3.22.5, 3.23.5 released | Alpine Linux

An OpenSSL vulnerability addressed in Alpine Linux 3.22.5 and 3.23.5 as part of the June 9, 2026 OpenSSL advisory.

alpinelinuxNews

Jun 13, 2026

Alpine 3.24.1 released | Alpine Linux

An OpenSSL vulnerability addressed in Alpine Linux 3.24.1 as part of the June 9, 2026 advisory.

security online infoNews

Jun 10, 2026

OpenSSL Security Patches Fix Remote Code Execution Risk

An OpenSSL QUIC stack denial-of-service vulnerability caused by unbounded memory allocation in response to repeated PATH_CHALLENGE frames, allowing remote memory exhaustion and server crash.

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A moderate OpenSSL QUIC denial-of-service vulnerability where a malicious peer can trigger unbounded memory growth by flooding PATH_CHALLENGE frames, exhausting heap memory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity15

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34183

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34183

MITRE CWE · CWE-770

cwe.mitre.org

Patch

github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517

Patch

github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac

Patch

github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac

Patch

github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb

Vendor Advisory

openssl-library.org/news/secadv/20260609.txt