GHSA-2x7m-gf85-3745

Source

https://github.com/advisories/GHSA-2x7m-gf85-3745

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-2x7m-gf85-3745/GHSA-2x7m-gf85-3745.json

Published

2024-03-13T17:14:43Z

Modified

2024-03-13T17:46:10.921258Z

Details

Impact

The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.

Patches

The following patch was made:

Fix Memory Leak from Multiple Decodes of TP - https://github.com/microsoft/msquic/commit/5d070d661c45979946615289e92bb6b822efe9e9

Workarounds

Beyond upgrading to the patched versions, there is no other workaround.

MSRC CVE Info

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26190

References

Affected packages

NuGet / Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name: Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.12

Affected versions

1.*

1.8.0

NuGet / Microsoft.Native.Quic.MsQuic.Schannel

Package

Name: Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.7

NuGet / Microsoft.Native.Quic.MsQuic.Schannel

Package

Name: Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.5

NuGet / Microsoft.Native.Quic.MsQuic.Schannel

Package

Name: Microsoft.Native.Quic.MsQuic.Schannel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.12

Affected versions

1.*

1.8.0

NuGet / Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name: Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.7

NuGet / Microsoft.Native.Quic.MsQuic.OpenSSL

Package

Name: Microsoft.Native.Quic.MsQuic.OpenSSL

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.5