Bulletin ID: 2026-042-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/10/2026 11:15 AM PDT

Description:

s2n-quic is a Rust implementation of the QUIC protocol. We identified CVE-2026-10740, an issue of unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.82.0. An unauthenticated user can attempt to exhaust server memory on an s2n-quic endpoint by sending crafted CRYPTO frames with high offsets. The buffer used for processing CRYPTO frames does not enforce a maximum size. In the worst case, a single 1200-byte packet can cause approximately 9.4 MB of allocation. By repeatedly sending such packets, the resulting memory pressure could cause denial of service. No valid handshake is required.

Impacted versions: < v1.82.0

Resolution:

This issue has been addressed in s2n-quic version v1.82.0. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

There is no workaround that fully mitigates this issue. Upgrading to the patched version is the recommended remediation.

References:

• CVE-2026-10740
• GHSA-9q54-f358-3fqf

Please email aws-security@amazon.com with any security questions or concerns.