Danzh2010

**Name of the Vulnerable Software and Affected Versions** Envoy (affected versions not specified) **Description** A crash was observed in `EnvoyQuicServerStream::OnInitialHeadersComplete()` due to a use-after-free issue. This occurs when QUICHE continues to push request headers after `StopReading()` is called on the stream. The `ActiveStream` in the HCM might be destroyed after `StopReading()`, and subsequent calls from QUICHE could cause a use-after-free error. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Envoy (affected versions not specified) **Description** The issue is related to a crash at `QuicheDataReader::PeekVarInt62Length()` caused by an integer underflow in the `QuicStreamSequencerBuffer::PeekRegion()` implementation. This affects Envoy, a cloud-native, open source edge and service proxy. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Envoy (affected versions not specified) **Description** The issue is related to a use-after-free in `HttpConnectionManager` (HCM) with `EnvoyQuicServerStream`, which can cause Envoy to crash. An attacker can exploit this by sending a request without `FIN`, followed by a `RESET STREAM` frame, and then closing the connection after receiving the response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.