CVE-2026-44434: Quicly is vulnerable to stateless reset injection
Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit dccf5d4, Quicly was vulnerable to stateless reset injection through lack of packet entry validation. The QUIC protocol is designed to withstand packet injection attacks, once the handshake is complete. Only packets that carry some secret patterns are considered as stateless resets. Quicly allows the peer to share up to 4 such patterns per connection. However, until now, it failed to determine which of the 4 slots that it uses to retain the secret patterns contains a valid entry. As the slots are zero-initialized, the failure meant that, unless the peer advertised 4 of such patterns, an all-zero pattern was treated as a stateless reset.In effect, this allowed an on-path attacker to reset QUIC connections governed by Quicly. This issue has been fixed by commit dccf5d4.
Security readout for executives and security teams
Plain-English summary
This flaw lets an on-path attacker force-close affected QUIC connections using Quicly. It does not expose data or enable code execution, but it can disrupt availability for services using Quicly, especially H2O-based QUIC endpoints.
Executive priority
Treat as a targeted availability risk, not a data breach signal. Patch exposed QUIC services during the next normal security maintenance window, faster where service reliability is business-critical.
Technical view
Before commit dccf5d4, Quicly did not validate which stateless reset token slots were populated. Zero-initialized unused slots could be treated as valid reset patterns, allowing an on-path attacker to reset established QUIC connections.
Likely exposure
Exposure is likely limited to systems using h2o/quicly before commit dccf5d4, directly or through H2O HTTP server QUIC support. The source bundle provides no CPEs, package release mapping, or downstream distribution list.
Exploitation context
The source bundle says an on-path attacker can reset Quicly-governed QUIC connections. KEV is false, and no provided source reports active exploitation in the wild.
Researcher notes
The vulnerability maps to CWE-345 and CWE-665. CVSS 3.1 is 5.3 with network attack vector, low complexity, no privileges, no user interaction, and low availability impact only. Release-to-commit mapping remains unspecified.
Mitigation direction
Update Quicly to commit dccf5d4 or a later vendor release containing the fix.
Identify downstream H2O builds that bundle or statically link affected Quicly code.
Check vendor guidance for supported patched versions and backports.
Prioritize Internet-facing QUIC services where connection disruption affects customers.
Validation and detection
Inventory services using H2O HTTP server or Quicly for QUIC transport.
Verify the deployed Quicly source revision is dccf5d4 or later.
Review package manifests, build logs, and static-link dependencies for bundled Quicly.
Confirm exposed QUIC endpoints have been rebuilt after the fixed dependency update.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-345: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-345 · source CWE mapping
Insufficient Verification of Data Authenticity
Insufficient Verification of Data Authenticity represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Initialization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.