An unsanitized qpack index can lead to an integer overflow, panicing in debug mode, accessing the wrong or no dynamic table entry in release mode.

What does this mean for Firefox? Firefox runs Neqo in release mode. A malicious remote can cause its own QUIC connection to fail to use qpack, i.e. compression, or enter an inconsistent state. The remote can not crash Firefox, nor affect other QUIC connections.

See fuzz report in https://github.com/mozilla/neqo/issues/3406.

See test in pull request.

All Firefox users. Though vulnerability likely scoped to same connection, i.e. low impact.