rust-quinn-CVE-2026-31812--kimi-k2.6--7ndqyx3

CVE-2026-31812 · kimi-k2.6

passgate full· reward 0.95
turns
93
tokens in
2.4M
tokens out
15k
exit
Submitted

Instruction

The Rust project at /app is the source tree of quinn. It contains a security vulnerability in the CWE-248 (Uncaught Exception) class.

Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping all existing functionality intact. If you find no such vulnerability, make no changes.

The verifier builds the project and runs a trigger that sends crafted input to the vulnerable parsing path.

Reward signals

r_apply1.00
r_test_pass1.00
r_pass_to_pass1.00
r_locality1.00
r_minimality0.42

Verifier · 0/0 security · 1/1 pass-to-pass

Candidate patch

quinn-proto/src/transport_parameters.rs
index 9fb0818..6cbcb80 100644@@ -469,14 +469,22 @@ impl TransportParameters {                     if len > 8 || params.max_datagram_frame_size.is_some() {                         return Err(Error::Malformed);                     }-                    params.max_datagram_frame_size = Some(r.get().unwrap());+                    let value = r.get::<VarInt>()?;+                    if len != value.size() {+                        return Err(Error::Malformed);+                    }+                    params.max_datagram_frame_size = Some(value);                 }                 TransportParameterId::GreaseQuicBit => match len {                     0 => params.grease_quic_bit = true,                     _ => return Err(Error::Malformed),                 },                 TransportParameterId::MinAckDelayDraft07 => {-                    params.min_ack_delay = Some(r.get().unwrap())+                    let value = r.get::<VarInt>()?;+                    if len != value.size() {+                        return Err(Error::Malformed);+                    }+                    params.min_ack_delay = Some(value);                 }                 _ => {                     macro_rules! parse {

Trajectory