Skip to content

Commit cf66945

Browse files
HudsonGraemeHudsonGraeme
authored
Resolve unauthenticated remote DoS in quinn-proto QUIC parsing (#54)
* Resolve unauthenticated remote DoS in QUIC transport parameter parsing Investigate quinn-proto 0.11.13 vulnerability where attacker-controlled varints decoded with unwrap() cause panic on truncated encodings, reachable over the network with a single unauthenticated packet. Upgrade quinn-proto to 0.11.14 which replaces unwrap() with proper error propagation. * Resolve unauthenticated remote DoS in QUIC transport parameter parsing Introduce quinn-proto 0.11.14 version floor in btlightning Cargo.toml to force all downstream consumers to resolve the patched version. Addresses CVE-2026-31812 where attacker-controlled varints decoded with unwrap() cause panic on truncated encodings, reachable over the network with a single unauthenticated packet.
1 parent 5d17787 commit cf66945

File tree

2 files changed

+14
-12
lines changed

2 files changed

+14
-12
lines changed

Cargo.lock

Lines changed: 13 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

crates/btlightning/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ name = "btlightning"
1414

1515
[dependencies]
1616
quinn = "0.11"
17+
quinn-proto = "0.11.14"
1718
rustls = { version = "0.23", default-features = false, features = ["ring", "std", "logging"] }
1819
rcgen = "0.13"
1920
tokio = { version = "1.0", features = ["full"] }

0 commit comments

Comments
 (0)