CVE-2026-11941: CVE-2026-11941: Use-After-Free Vulnerabilities in Cloudflare Quiche FFI Layer

CVE-2026-11941: Use-After-Free Vulnerabilities in Cloudflare Quiche FFI Layer

Vulnerability ID: CVE-2026-11941
CVSS Score: 5.6
Published: 2026-06-19

Two critical use-after-free vulnerabilities exist within the Foreign Function Interface (FFI) layer of Cloudflare Quiche, affecting connection ID iterator functions. These flaws occur because raw pointers are returned to C callers pointing to temporary, owned Rust values that are immediately dropped and deallocated upon function exit. This leads to undefined behavior, potential limited heap information disclosure, or application crashes when integrating applications dereference these dangling pointers.

TL;DR

Cloudflare Quiche FFI layer contains two use-after-free flaws in connection ID iterators, allowing unauthenticated remote triggers to crash C-based host applications via dangling pointer dereferences.

---

Technical Details

• CWE ID: CWE-416
• Attack Vector: Network (AV:N)
• CVSS v3.1 Score: 5.6 (Medium)
• Exploit Status: None (No public PoC or active exploitation)
• CISA KEV Status: Not Listed
• Impact: Denial of Service (DoS) / Limited Information Disclosure
• Affected Component: quiche/src/ffi.rs

Affected Systems

• Applications incorporating Cloudflare Quiche via its Foreign Function Interface (FFI) compiled with the 'ffi' cargo feature.
• quiche: >= 0.20.0, < 0.29.2 (Fixed in: 0.29.2)

Code Analysis

Commit: 386ad63

ffi: borrow connection ID instead of cloning in iterator next

--- a/quiche/src/ffi.rs
+++ b/quiche/src/ffi.rs
@@ -248,8 +248,7 @@ pub extern "C" fn quiche_connection_id_iter_next(
     iter: &mut ConnectionIdIter, out: &mut *const u8, out_len: &mut size_t,
 ) -> bool {
-    if let Some(conn_id) = iter.next() {
+    if let Some(conn_id) = iter.cids.get(iter.index) {
         let id = conn_id.as_ref();
         *out = id.as_ptr();
         *out_len = id.len();
+        iter.index += 1;
         return true;
     }

Commit: f2db946

ffi: introduce iterator for retired connection IDs

--- a/quiche/src/ffi.rs
+++ b/quiche/src/ffi.rs
@@ -290,11 +290,11 @@ pub extern "C" fn quiche_conn_retired_scid_iter(
     conn: &mut Connection,
 ) -> *mut ConnectionIdIter<'_> {
     let mut cids = Vec::with_capacity(conn.retired_scids());
     while let Some(cid) = conn.retired_scid_next() {
         cids.push(cid);
     }
     Box::into_raw(Box::new(ConnectionIdIter { cids, index: 0 }))
 }

Mitigation Strategies

• Upgrade Cloudflare Quiche to version 0.29.2 or higher.
• Refactor C/C++ host integration logic to use the new iterator-based allocation pattern.
• Disable the 'ffi' build-time cargo feature if C bindings are not actively required.

Remediation Steps:

1. Modify the Cargo.toml dependency to target quiche >= 0.29.2.
2. Locate calls to quiche_conn_retired_scid_next in C/C++ wrapper code.
3. Replace retired SCID retrieval with quiche_conn_retired_scid_iter and quiche_connection_id_iter_next.
4. Ensure that quiche_connection_id_iter_free is called after iteration to avoid memory leaks.
5. Recompile and execute tests under AddressSanitizer (ASan) to verify absence of use-after-free conditions.

References

• Cloudflare Quiche Advisory (GHSA-mh64-ph39-mrc9)
• Official CVE.org Record
• NVD Entry

---

Read the full report for CVE-2026-11941 on our website for more details including interactive diagrams and full exploit analysis.