CVE-2026-40898: quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion
An attacker can cause excessive memory allocation in quic-go’s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an http.Header for the corresponding http.Request or http.Response, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion.
This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector.
References
- github.com/advisories/GHSA-g754-hx8w-x2g6
- github.com/advisories/GHSA-vvgj-x9jq-8cj9
- github.com/quic-go/quic-go/commit/c56e8c79d1627cc1ed6005b421b4b0adadd83665
- github.com/quic-go/quic-go/pull/5642
- github.com/quic-go/quic-go/releases/tag/v0.59.1
- github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9
- nvd.nist.gov/vuln/detail/CVE-2026-40898
Code Behaviors & Features
Detect and mitigate CVE-2026-40898 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →