GHSA-2x7m-gf85-3745

Suggest an improvement
Source
https://github.com/advisories/GHSA-2x7m-gf85-3745
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-2x7m-gf85-3745/GHSA-2x7m-gf85-3745.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2x7m-gf85-3745
Published
2024-03-13T17:14:43Z
Modified
2024-03-13T17:46:10.921258Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Remote Denial of Service Vulnerability in Microsoft QUIC
Details

Impact

The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.

Patches

The following patch was made:

  • Fix Memory Leak from Multiple Decodes of TP - https://github.com/microsoft/msquic/commit/5d070d661c45979946615289e92bb6b822efe9e9

Workarounds

Beyond upgrading to the patched versions, there is no other workaround.

MSRC CVE Info

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26190

References

Affected packages

NuGet / Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name
Microsoft.Native.Quic.MsQuic.OpenSSL
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.12

Affected versions

1.*

1.8.0

NuGet / Microsoft.Native.Quic.MsQuic.Schannel

Package

Name
Microsoft.Native.Quic.MsQuic.Schannel
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.7

NuGet / Microsoft.Native.Quic.MsQuic.Schannel

Package

Name
Microsoft.Native.Quic.MsQuic.Schannel
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.5

NuGet / Microsoft.Native.Quic.MsQuic.Schannel

Package

Name
Microsoft.Native.Quic.MsQuic.Schannel
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.12

Affected versions

1.*

1.8.0

NuGet / Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name
Microsoft.Native.Quic.MsQuic.OpenSSL
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.7

NuGet / Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name
Microsoft.Native.Quic.MsQuic.OpenSSL
View open source insights on deps.dev
Purl
pkg:nuget/Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.5