QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth.
With fix, connections now consistently reject messages larger than 65KiB in size.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2023-2045" }