CVE-2024-22189
- Source
- https://cve.org/CVERecord?id=CVE-2024-22189
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22189.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-22189
- Aliases
- Downstream
- Related
- Published
- 2024-04-04T14:25:43.663Z
- Modified
- 2026-04-02T09:49:37.712434Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack
- Details
-
quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of
NEW_CONNECTION_IDframes that retire old connection IDs. The receiver is supposed to respond to each retirement frame with aRETIRE_CONNECTION_IDframe. The attacker can prevent the receiver from sending out (the vast majority of) theseRETIRE_CONNECTION_IDframes by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22189.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-770" ] }- References
-
- https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management
- https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22189.json
- https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478
- https://nvd.nist.gov/vuln/detail/CVE-2024-22189
- https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a
Affected packages
Git / github.com/quic-go/quic-go
Affected ranges
- Type
- GIT
- Repo
- https://github.com/quic-go/quic-go
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/quic-go/quic-go
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
race
v.*
v.0.21
v0.*
v0.10.0
v0.10.0-no-integrationtests
v0.10.1
v0.10.1-no-integrationtests
v0.10.2
v0.11.0
v0.11.1
v0.11.2
v0.12.0
v0.12.1
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.14.4
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.4
v0.15.5
v0.15.6
v0.15.7
v0.15.8
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.19.3
v0.20.0
v0.20.1
v0.21.0
v0.21.0-rc.1
v0.21.0-rc.2
v0.21.1
v0.21.2
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.27.0
v0.27.1
v0.27.2
v0.28.0
v0.28.1
v0.29.0
v0.29.1
v0.29.2
v0.30.0
v0.31.0
v0.31.1
v0.32.0
v0.33.0
v0.33.1
v0.34.0
v0.35.0
v0.35.1
v0.36.0
v0.36.1
v0.36.2
v0.36.3
v0.36.4
v0.37.0
v0.37.1
v0.37.2
v0.37.3
v0.37.4
v0.37.5
v0.37.6
v0.37.7
v0.38.0
v0.38.1
v0.38.2
v0.39.0
v0.39.1
v0.39.2
v0.39.3
v0.39.4
v0.4
v0.40.0
v0.40.1
v0.41.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.9.0