Memory exhaustion in QUIC connection handling in crypto/tls
CVE-2023-39322

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/tls
Vendor: CVE Published:; 8 September 2023

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2023-39322?

The vulnerability arises from QUIC connections lacking an upper limit on the data buffered when processing post-handshake messages. This oversight permits a malicious QUIC connection to exploit the system, leading to unbounded memory growth. The issue has been addressed in recent updates, which now enforce a restriction on message size at 65KiB, effectively mitigating the potential for excessive resource consumption and maintaining system integrity.

Affected Version(s)

crypto/tls 1.21.0-0 < 1.21.1

References

https://go.dev/issue/62266

https://go.dev/cl/523039

https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2023
Vulnerability Reserved
Jul 27, 2023

Credit

Marten Seemann