Intel

AIKIDO-2026-395465

quinn-proto is vulnerable to Unlimited Resource Consumption

Unlimited Resource ConsumptionGHSA-4w2j-m93h-cj5j Published Jun 25, 2026

75

High Risk

This Affects:

RUSTquinn-proto
0.1.0 - 0.11.14
Fixed in 0.11.15
Are you affected? Scan for Free

TL;DR

The Assembler component that assembles unordered stream fragments into consecutive chunks of the stream incurs some overhead for non-contiguous fragments. Readers that read from a RecvStream in order (through an AsyncRead impl for example) will be sensitive to peers that send fragments while leaving out early parts of the stream, and in particular, fragments with many gaps (because these cannot be defragmented). In such a scenario, the receiving connection suffers from high buffer overhead, enabling memory exhaustion.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

quinn-proto is vulnerable to Unlimited Resource Consumption in versions 0.1.0 - 0.11.14.

How to fix this

Upgrade the quinn-proto library to the patch version.