CVE-2026-10740

Description

Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected products

AWS / s2n-quic0 – 1.8.1

References

PATCHhttps://github.com/aws/s2n-quic/releases/tag/v1.82.0
MISChttps://aws.amazon.com/security/security-bulletins/2026-042-aws/
VENDOR_ADVISORYhttps://github.com/aws/s2n-quic/security/advisories/GHSA-9q54-f358-3fqf