CVE-2026-10740

Published: Jun 10, 2026Modified: Jun 10, 2026

6.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5 (Secondary)

Description

Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2.

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (3)

https://aws.amazon.com/security/security-bulletins/2026-042-aws/

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

https://github.com/aws/s2n-quic/releases/tag/v1.82.0

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

https://github.com/aws/s2n-quic/security/advisories/GHSA-9q54-f358-3fqf

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

Timeline

No history available yet.