quic-go vulnerable to pointer dereference that can lead to panic
CVE-2023-46239

7.5HIGH

Key Information:

Vendor

Quic-go

Status
Quic-go
Vendor
CVE Published:
31 October 2023

What is CVE-2023-46239?

A significant vulnerability exists in the quic-go implementation of the QUIC protocol, affecting versions 0.37.0 through 0.37.2. An attacker can exploit this vulnerability by sending malicious packets that trigger a nil pointer dereference during the handshake process, leading to a node crash. This requires minimal effort and could allow an attacker to disrupt services using quic-go without needing sophisticated techniques. Version 0.37.3 provides a patch to mitigate this issue, and it is crucial for users to upgrade to this version to ensure system stability and security.

Affected Version(s)

quic-go >= 0.37.0, < 0.37.3

References

https://github.com/quic-go/quic-go/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe0...
x_refsource_MISC
https://github.com/quic-go/quic-go/releases/tag/v0.37.3
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.