GHSA-2x7m-gf85-3745

Source

https://github.com/advisories/GHSA-2x7m-gf85-3745

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-2x7m-gf85-3745/GHSA-2x7m-gf85-3745.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2x7m-gf85-3745

Published

2024-03-13T17:14:43Z

Modified

2024-12-01T05:38:28.061231Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Remote Denial of Service Vulnerability in Microsoft QUIC

Details

Impact

The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.

Patches

The following patch was made:

Fix Memory Leak from Multiple Decodes of TP - https://github.com/microsoft/msquic/commit/5d070d661c45979946615289e92bb6b822efe9e9

Workarounds

Beyond upgrading to the patched versions, there is no other workaround.

MSRC CVE Info

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26190

Database specific

{
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-401"
    ],
    "github_reviewed_at": "2024-03-13T17:14:43Z",
    "github_reviewed": true
}

References

Affected packages

NuGet

Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name: Microsoft.Native.Quic.MsQuic.OpenSSL; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.12

Affected versions

1.*

1.8.0

Microsoft.Native.Quic.MsQuic.Schannel

Package

Name: Microsoft.Native.Quic.MsQuic.Schannel; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.7

Microsoft.Native.Quic.MsQuic.Schannel

Package

Name: Microsoft.Native.Quic.MsQuic.Schannel; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.5

Microsoft.Native.Quic.MsQuic.Schannel

Package

Name: Microsoft.Native.Quic.MsQuic.Schannel; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.12

Affected versions

1.*

1.8.0

Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name: Microsoft.Native.Quic.MsQuic.OpenSSL; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.7

Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name: Microsoft.Native.Quic.MsQuic.OpenSSL; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.5