CVE-2022-30591

HIGH

quic-go < 0.27.0 - Denial of Service via MTU Discovery Probe Timer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-30591. PoCs published by efchatz.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2022-30591, a DoS vulnerability in the quic-go library affecting QUIC-enabled servers. The exploit includes scripts for QUIC flooding, hash-based attacks, and a low-rate DoS (LoRIS) attack specifically targeting the vulnerability.

Description

quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. NOTE: the vendor's position is that this behavior should not be listed as a vulnerability on the CVE List

Exploits (1)

nomisec WORKING POC 25 stars
by efchatz · poc
https://github.com/efchatz/QUIC-attacks

This repository contains a proof-of-concept exploit for CVE-2022-30591, a DoS vulnerability in the quic-go library affecting QUIC-enabled servers. The exploit includes scripts for QUIC flooding, hash-based attacks, and a low-rate DoS (LoRIS) attack specifically targeting the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: QUIC-enabled servers (IIS, NGINX, LiteSpeed, Cloudflare, H2O, Caddy) using quic-go library
No auth needed
Prerequisites: Ubuntu 18.04 client · aioquic Python library · Scapy Python library v2.4.3
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.0241
EPSS Percentile 82.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (1)
quic-go_project/quic-go < 0.27.0
Published Jul 06, 2022
Tracked Since Feb 18, 2026