Cyber Resilience

CVE-2026-34183

HighUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0051 39.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34183 is a high-severity Improperly Controlled Sequential Memory Allocation (CWE-1325) vulnerability in Openssl Openssl. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 39.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal…

more

termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Remote flooding of PATH_CHALLENGE frames exploits QUIC memory allocation to cause application resource exhaustion and DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42769Same product: Openssl Openssl
CVE-2026-31789Same product: Openssl Openssl
CVE-2026-7383Same product: Openssl Openssl
CVE-2023-6129Same product: Openssl Openssl
CVE-2026-28386Same product: Openssl Openssl
CVE-2022-4203Same product: Openssl Openssl
CVE-2026-28387Same product: Openssl Openssl
CVE-2026-42767Same product: Openssl Openssl
CVE-2023-0464Same product: Openssl Openssl
CVE-2026-28390Same product: Openssl Openssl

Affected Assets

openssl
openssl
4.0.0 · 3.4.0 — 3.4.6 · 3.5.0 — 3.5.7 · 3.6.0 — 3.6.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References