RUSTSEC-2026-0037: Denial of service in Quinn endpoints


> Denial of service in Quinn endpoints

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Package             | `quinn-proto`                      |
| Version             | `0.11.13`                   |
| URL                 | [https://github.com/quinn-rs/quinn/pull/2559](https://github.com/quinn-rs/quinn/pull/2559) |
| Date                | 2026-03-09                         |
| Patched versions    | `>=0.11.14`                  |
| Unaffected versions | `<0.5.0`               |

Receiving QUIC transport parameters containing invalid values could lead to a panic.

Unfortunately the maintainers did not properly assess usage of `unwrap()` calls in the
transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this
issue. We have since added a fuzzing target to cover this code path.

See [advisory page](https://rustsec.org/advisories/RUSTSEC-2026-0037.html) for additional details.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RUSTSEC-2026-0037: Denial of service in Quinn endpoints #3240

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Details
Package	`quinn-proto`
Version	`0.11.13`
URL	quinn-rs/quinn#2559
Date	2026-03-09
Patched versions	`>=0.11.14`
Unaffected versions	`<0.5.0`

RUSTSEC-2026-0037: Denial of service in Quinn endpoints #3240

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions