—

RUSTSEC-2026-0037

Denial of service in Quinn endpoints

Details

Receiving QUIC transport parameters containing invalid values could lead to a panic.

Unfortunately the maintainers did not properly assess usage of `unwrap()` calls in the transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this issue. We have since added a fuzzing target to cover this code path.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / quinn-proto

Introduced in: 0.5.0 Fixed in: 0.11.14

Upgrade quinn-proto to 0.11.14 or newer (ecosystem crates.io).

References

https://crates.io/crates/quinn-proto [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0037.html [ADVISORY]
https://github.com/quinn-rs/quinn/pull/2559 [WEB]