GHSA-6w86-wgwq-rgq8: neqo-qpack has iInteger overflow in qpack dynamic table indexing

March 4, 2026

An unsanitized qpack index can lead to an integer overflow, panicing in debug mode, accessing the wrong or no dynamic table entry in release mode.

What does this mean for Firefox? Firefox runs Neqo in release mode. A malicious remote can cause its own QUIC connection to fail to use qpack, i.e. compression, or enter an inconsistent state. The remote can not crash Firefox, nor affect other QUIC connections.

References

github.com/advisories/GHSA-6w86-wgwq-rgq8
github.com/mozilla/neqo
github.com/mozilla/neqo/issues/3406
github.com/mozilla/neqo/security/advisories/GHSA-6w86-wgwq-rgq8

Code Behaviors & Features

Detect and mitigate GHSA-6w86-wgwq-rgq8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →