Stack Buffer Overflow in ngtcp2 Implementation of IETF QUIC Protocol
CVE-2026-40170

7.5HIGH

Key Information:

Vendor: Ngtcp2
Status: Ngtcp2
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-40170?

A stack buffer overflow vulnerability exists in ngtcp2, a C implementation of the IETF QUIC protocol, specifically in the function ngtcp2_qlog_parameters_set_transport_params(). This issue arises from the lack of bounds checking when serializing peer transport parameters into a fixed 1024-byte stack buffer. When the qlog is enabled, an untrusted remote peer can exploit this vulnerability by sending overly large transport parameters during the QUIC handshake. This can lead to unauthorized memory writes beyond the designated buffer boundary. To mitigate this risk, it is recommended to upgrade to ngtcp2 version 1.22.1 or disable the qlog callback on clients until an upgrade can be performed.

Affected Version(s)

ngtcp2 < 1.22.1

References

https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/ngtcp2/ngtcp2/commit/708a7640c1f48fb8f...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40170 Data

JSON

Ngtcp2

What is CVE-2026-40170?

Affected Version(s)

References

CVSS V3.1

Timeline