Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions.
The quiche_connection_id_iter_next and quiche_conn_retired_scid_next functions would return a pointer to a ConnectionId to the applications via function arguments, but the the owned ConnectionId would be dropped at the end of those functions' scope.
Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag.
quiche 0.29.2 is the earliest version containing the fix for this issue.
No EPSS score in this advisory JSON.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.6 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-mh64-ph39-mrc9 ↗ |
| CVE | CVE-2026-11941 ↗ |
| CWE id | Name |
|---|---|
| CWE-416 | Use After Free |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rust | quiche | >= 0.20.0, < 0.29.2 | 0.29.2 | — |