Intel

AIKIDO-2026-276129

qh3 is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

53

Medium Risk

This Affects:

PYTHONqh3
1.4.5 - 1.7.3
Fixed in 1.7.4
Are you affected? Scan for Free

TL;DR

The Rust QUIC header protection code in qh3 slices a sample of fixed length from an incoming packet without first verifying the packet is long enough. When a corrupted or truncated datagram is fed into the QUIC state machine, the out-of-bounds slice raises an unhandled panic that surfaces as an unexpected crash instead of a graceful error. A remote peer can trigger this by sending a short/malformed packet, disrupting availability of the QUIC/HTTP3 endpoint. The fix adds an explicit length check in src/hpk.rs and returns a CryptoError instead of crashing.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

qh3 is vulnerable to Denial of Service (DoS) in versions 1.4.5 - 1.7.3.

How to fix this

Upgrade the qh3 library to the patch version.