CVE-2023-39322

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
golanggo
1.21.0 ≤
𝑥
< 1.21.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
go_standard_librarycrypto_tls
1.21.0-0 ≤
𝑥
< 1.21.1
ADP
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
not-affected
xenial
dne
golang-1.10
bionic
not-affected
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
not-affected
xenial
not-affected
golang-1.13
bionic
not-affected
focal
not-affected
jammy
not-affected
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
not-affected
golang-1.14
bionic
dne
focal
not-affected
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
golang-1.16
bionic
not-affected
focal
not-affected
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
golang-1.17
bionic
dne
focal
dne
jammy
not-affected
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
golang-1.18
bionic
not-affected
focal
not-affected
jammy
not-affected
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
not-affected
golang-1.19
bionic
dne
focal
dne
jammy
dne
lunar
not-affected
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
golang-1.20
bionic
dne
focal
not-affected
jammy
not-affected
lunar
not-affected
mantic
not-affected
noble
dne
oracular
dne
trusty
dne
xenial
dne
golang-1.21
bionic
dne
focal
not-affected
jammy
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
oracular
dne
trusty
dne
xenial
dne
golang-1.6
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
not-affected
xenial
not-affected
golang-1.8
bionic
not-affected
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
golang-1.9
bionic
not-affected
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://go.dev/cl/523039
https://go.dev/issue/62266
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
https://pkg.go.dev/vuln/GO-2023-2045
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20231020-0004/
https://go.dev/cl/523039
https://go.dev/issue/62266
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
https://pkg.go.dev/vuln/GO-2023-2045
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20231020-0004/