Memory Exhaustion Vulnerability in quic-go by Cloudflare
CVE-2024-22189

Currently unrated

Key Information:

Vendor: Cloudflare
Status: quic-go
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-22189?

quic-go is a Go language implementation of the QUIC protocol. Versions prior to 0.42.0 are susceptible to a memory exhaustion vulnerability that allows an attacker to consume a peer's memory. This can occur by sending a flood of NEW_CONNECTION_ID frames that prompt the peer to retire old connection IDs. The peer is designed to acknowledge these retirement requests with RETIRE_CONNECTION_ID frames. However, attackers can disrupt this process by selectively acknowledging packets, leading to congestion window collapse and manipulation of round-trip time (RTT) estimates. The issue has been resolved in version 0.42.0, with no available workarounds.

References

https://github.com/quic-go/quic-go/security/advisories/GH...

https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03...

https://seemann.io/posts/2024-03-19-exploiting-quics-conn...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2024