CVE-2024-52811
CVSS 3.1 Score 8.2 of 10 (high)
Details
Summary
CVE-2024-52811 affects the ngtcp2 project, which implements IETF QUIC protocol in C. In certain versions, incoming acknowledgements (acks) are not properly validated before being logged, leading to a buffer overflow. This issue arises due to a newly added logic in `ngtcp2_conn::conn_recv_pkt` that skips `ngtcp2_pkt_validate_ack` when processing an ack. Consequently, an invalid ack can be written to the qlog, causing an integer underflow and a subsequent heap overflow. This vulnerability is considered high priority and may impact many users, especially those who enable qlog for debugging purposes. It is recommended that users upgrade to ngtcp2 v1.9.1 to address this issue. Those unable to upgrade should refrain from using qlog to avoid the risk of a heap overflow.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.