Headline
GHSA-3q6m-v84f-6p9h: quic-go vulnerable to pointer dereference that can lead to panic
quic-go is an implementation of the QUIC transport protocol in Go. By serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space.
Impact
An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets.
Patches
v0.37.3 contains a patch. Versions before v0.37.0 are not affected.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-46239
quic-go vulnerable to pointer dereference that can lead to panic
Moderate severity GitHub Reviewed Published Oct 27, 2023 in quic-go/quic-go • Updated Oct 30, 2023
Package
gomod github.com/quic-go/quic-go (Go)
Affected versions
>= 0.37.0, < 0.37.3
quic-go is an implementation of the QUIC transport protocol in Go. By serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space.
Impact
An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets.
Patches
v0.37.3 contains a patch. Versions before v0.37.0 are not affected.
References
- GHSA-3q6m-v84f-6p9h
- quic-go/quic-go@b6a4725
- https://github.com/quic-go/quic-go/releases/tag/v0.37.3
Published to the GitHub Advisory Database
Oct 30, 2023
Last updated
Oct 30, 2023
Related news
quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.