Buffer Overflow Risk in ngtcp2 QUIC Implementation by ngtcp2 Project
CVE-2024-52811
Currently unrated
What is CVE-2024-52811?
A vulnerability in the ngtcp2 implementation of the IETF QUIC protocol results from a lack of validation for acknowledgements before they are written to the qlog. Specifically, a modification to the ACK processing logic allows invalid ACKs to bypass necessary validation checks, leading to potential integer underflow and subsequent heap overflow. If the qlog feature is enabled, which is generally for debugging purposes, it could allow crafted packets to exploit this flaw, causing instability or crashes in applications utilizing the ngtcp2 library. Users are strongly encouraged to upgrade to ngtcp2 v1.9.1 or higher to mitigate this vulnerability, while those unable to do so should refrain from enabling qlog.