CVE-2026-11941: Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions

June 19, 2026

Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions.

The quiche_connection_id_iter_next and quiche_conn_retired_scid_next functions would return a pointer to a ConnectionId to the applications via function arguments, but the the owned ConnectionId would be dropped at the end of those functions’ scope.

Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag.

quiche 0.29.2 is the earliest version containing the fix for this issue.

References

github.com/advisories/GHSA-mh64-ph39-mrc9
github.com/cloudflare/quiche/security/advisories/GHSA-mh64-ph39-mrc9
nvd.nist.gov/vuln/detail/CVE-2026-11941

Code Behaviors & Features

Detect and mitigate CVE-2026-11941 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →