Alexandr Nedvedicky

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A remote peer can cause unbounded memory allocation leading to a Denial of Service and abnormal termination of an application acting as a QUIC client or server. This occurs when a malicious peer floods the local QUIC stack with PATH CHALLENGE frames. The stack allocates a PATH RESPONSE frame for every received PATH CHALLENGE, but these frames are only freed once the remote peer acknowledges their reception, which a malicious actor will not do, resulting in heap memory exhaustion. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions not specified **Description** An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. A use after free can lead to data corruption, crashes, or arbitrary code execution. The issue affects clients that use TLSA records with both PKIX-TA(0/PKIX-EE(1)) and DANE-TA(2) certificate usages. Clients that treat PKIX TLSA records as unusable or support only PKIX usages are not vulnerable. The client must also communicate with a server publishing a TLSA RRset with both types of TLSA records. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.