Skip to content

quiche vulnerable to unlimited resource allocation by QUIC CRYPTO frames flooding

Moderate severity GitHub Reviewed Published Mar 12, 2024 in cloudflare/quiche • Updated Mar 13, 2024

Package

cargo quiche (Rust)

Affected versions

< 0.19.2
>= 0.20.0, < 0.20.1

Patched versions

0.19.2
0.20.1

Description

Impact

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.

A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.
Exploitation was possible for the duration of the connection which could be extended by the attacker.

Patches

Quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.

References

@mskowroncf mskowroncf published to cloudflare/quiche Mar 12, 2024
Published by the National Vulnerability Database Mar 12, 2024
Published to the GitHub Advisory Database Mar 13, 2024
Reviewed Mar 13, 2024
Last updated Mar 13, 2024

Severity

Moderate
5.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-1765

GHSA ID

GHSA-78wx-jg4j-5j6g

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.