{ "affected": [ { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.22", "name": "openssl", "purl": "pkg:apk/alpine/openssl?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.5.7-r0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.23", "name": "openssl", "purl": "pkg:apk/alpine/openssl?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.5.7-r0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.24", "name": "openssl", "purl": "pkg:apk/alpine/openssl?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.5.7-r0" } ], "type": "ECOSYSTEM" } ] } ], "details": "Issue summary: Remote peer may exhaust heap memory of the QUIC\nserver or client by flooding it with packets containing PATH_CHALLENGE\nframes.\n\nImpact summary: A malicious remote peer can cause an unbounded\nmemory allocation which can lead to an abnormal termination of the\napplication acting as a QUIC client or server and a Denial of Service.\n\nA remote peer may exhaust heap memory by flooding the local\nQUIC stack with PATH_CHALLENGE frames. The local QUIC stack\nallocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.\nThe allocated PATH_RESPONSE frame gets freed only when the remote\npeer acknowledges reception of the PATH_RESPONSE frame which will\nnot be done by a malicious peer.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by\nthis issue. The QUIC stack is outside of OpenSSL FIPS module\nboundary.", "id": "ALPINE-CVE-2026-34183", "modified": "2026-06-15T18:18:11.202934786Z", "published": "2026-06-09T17:17:05Z", "references": [ { "type": "ADVISORY", "url": "https://security.alpinelinux.org/vuln/CVE-2026-34183" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "upstream": [ "CVE-2026-34183" ] }