CVE-2026-11941: Use-After-Free Vulnerabilities in Cloudflare Quiche FFI Layer

The Foreign Function Interface (FFI) implementation in Cloudflare Quiche, an open-source Rust implementation of the QUIC transport protocol and HTTP/3, is subject to two distinct use-after-free (UAF) vulnerabilities. These vulnerabilities are tracked under CVE-2026-11941 and GHSA-mh64-ph39-mrc9. The vulnerabilities are localized to the connection ID iterator functions quiche_connection_id_iter_next and quiche_conn_retired_scid_next within quiche/src/ffi.rs.

Downstream applications integrating Quiche via its C-compatible FFI layer can be triggered into dereferencing dangling pointers when invoking these iterator functions. This occurs because the FFI helper functions expose raw pointers pointing to memory allocated for temporary Rust objects that are immediately dropped before the C caller can consume the referenced data.

The primary attack surface is exposed in scenarios where a server or client application uses the FFI bindings to iterate over connection identifiers, which are commonly utilized for load balancing, logging, or connection routing. Although the core Rust library handles lifetimes safely via the compiler's borrow checker, the boundary between Rust and C lacks these automatic safety guarantees, introducing memory unsafety if lifetime tracking is not manually maintained.

The root cause of these use-after-free vulnerabilities is a violation of lifetime boundaries at the Rust-to-C FFI layer. In Rust, the lifetime of an object is strictly tied to its scope. When converting Rust types into raw pointers (*const u8 or *mut u8) to pass them to C, the Rust compiler's borrow checker ceases to track the validity of the underlying memory. The developer must guarantee that the memory remains valid while the C program maintains the pointer.

In the case of quiche_connection_id_iter_next, the ConnectionIdIter iterator formerly returned cloned, owned ConnectionId instances. This ownership structure meant that each call to iter.next() created a new, temporary ConnectionId allocation that resided only within the scope of the FFI helper function. Once the raw pointer to this local buffer was written to the output argument, the helper function reached its exit boundary, causing Rust to drop the temporary ConnectionId and deallocate the backing heap memory.

Similarly, quiche_conn_retired_scid_next retrieved an owned ConnectionId from the active connection. The raw pointer was extracted from this temporary, owned object. Upon exiting the match arm where the pointer was assigned, the temporary ConnectionId went out of scope and was immediately freed. Consequently, the C application was handed a status code of true alongside a pointer that pointed to freed heap memory, creating an immediate dangling pointer scenario.

To analyze the specific flaw, examine the vulnerable FFI function quiche_connection_id_iter_next as it existed before the patch. The function attempts to extract the raw pointer and length of a connection identifier from the iterator.

// VULNERABLE CODE PATH
#[no_mangle]
pub extern "C" fn quiche_connection_id_iter_next(
    iter: &mut ConnectionIdIter, out: &mut *const u8, out_len: &mut size_t,
) -> bool {
    if let Some(conn_id) = iter.next() { // iter.next() returns Option<ConnectionId> (owned copy)
        let id = conn_id.as_ref();
        *out = id.as_ptr(); // Pointing to the internal buffer of the owned `conn_id`
        *out_len = id.len();
        return true;
    } // <-- `conn_id` goes out of scope here and is dropped!
      // The heap memory backing `conn_id` is freed, leaving `*out` dangling.
    false
}

The patch resolved this by restructuring how connection IDs are stored and retrieved. The unused standard Iterator trait implementation on ConnectionIdIter was removed. The corrected function now borrows directly from the vector owned by the iterator, ensuring the memory remains allocated as long as the iterator itself is alive.

// PATCHED CODE PATH (Commit: 386ad632bef063aea503be1819f5fda503950876)
#[no_mangle]
pub extern "C" fn quiche_connection_id_iter_next(
    iter: &mut ConnectionIdIter, out: &mut *const u8, out_len: &mut size_t,
) -> bool {
    if let Some(conn_id) = iter.cids.get(iter.index) { // Borrow directly from the vector owned by `iter`
        let id = conn_id.as_ref();
        *out = id.as_ptr(); // Pointer points to memory owned by `iter`, which outlives this call
        *out_len = id.len();
        iter.index += 1;
        return true;
    }
    false
}

For quiche_conn_retired_scid_next, because the underlying connection struct yields owned ConnectionId elements on retirement, returning references was not directly feasible without risking leakages or lifetime conflicts. The developers removed the vulnerable quiche_conn_retired_scid_next function entirely and replaced it with an iterator-based allocation pattern.

// PATCHED ITERATOR INITIALIZATION (Commit: f2db946cf12c18448b6c8dfb03a46777f92f8ab8)
#[no_mangle]
pub extern "C" fn quiche_conn_retired_scid_iter(
    conn: &mut Connection,
) -> *mut ConnectionIdIter<'_> {
    let mut cids = Vec::with_capacity(conn.retired_scids());
    while let Some(cid) = conn.retired_scid_next() {
        cids.push(cid);
    }
    Box::into_raw(Box::new(ConnectionIdIter { cids, index: 0 }))
}

This implementation drains the retired connection IDs into a heap-allocated ConnectionIdIter, transferring ownership. The C host application must subsequently iterate using the corrected quiche_connection_id_iter_next and release the iterator memory via quiche_connection_id_iter_free.

Exploiting these use-after-free vulnerabilities requires specific host application behaviors. An attacker must interact with a C/C++ application that integrates Quiche with the ffi feature enabled. The host application must actively call the affected iteration APIs to process connection identifiers.

A remote attacker can trigger the execution paths of these iterators by interacting with the target server. For instance, sending specific transport parameters that trigger connection ID rotation or retirement causes the application to populate retired source connection IDs (SCIDs). When the host application runs its routine loop to fetch these IDs, the dangling pointer is generated.

The primary outcome is an immediate process crash due to a segmentation fault when dereferencing the deallocated memory block. If the allocator has reallocated the freed block for other data before the pointer is dereferenced, a reading application could leak sensitive heap metadata, potentially resulting in limited information disclosure.

The overall severity of CVE-2026-11941 is assessed as Medium, with a CVSS v3.1 base score of 5.6. This classification reflects the strict preconditions required for exploitation. The vulnerability cannot be triggered unless the target application is explicitly compiled with the optional FFI feature, which is disabled by default in standard Rust installations of Quiche.

For systems that do use the FFI wrapper, the impact is primarily on system availability. A crashing server thread or process terminates existing client sessions, leading to a Denial of Service (DoS). While process supervisors (such as systemd or Kubernetes pods) can automatically restart failed instances, a sustained stream of exploit packets could cause a persistent denial of service state.

Confidentiality and integrity impacts are rated as Low. This is due to the difficulty of staging a reliable heap grooming attack across the FFI boundary. To leak useful information or manipulate application state, the attacker must align heap allocations precisely, which is highly complex in multi-threaded asynchronous network environments typical of QUIC deployments.

Remediation requires upgrading the quiche library dependency to version 0.29.2 or later. This is the only way to eliminate the vulnerability within the library. Downstream developers must also refactor their C-based FFI integration code to conform to the new iterator paradigm.

Specifically, developers must remove any logic relying on the deprecated quiche_conn_retired_scid_next function. Code must be updated to construct a ConnectionIdIter instance via quiche_conn_retired_scid_iter, perform the iteration using quiche_connection_id_iter_next, and finally release the allocated iterator memory with quiche_connection_id_iter_free to prevent memory leaks.

If immediate upgrading is unfeasible, temporary mitigation involves disabling the ffi compilation feature if the application does not strictly require it, or modifying the C wrapper to avoid retrieving retired connection IDs entirely. Alternatively, host applications can implement strict validation or sandboxing to isolate the process running the Quiche FFI layer, limiting the scope of any potential process crash.