CVE-2023-46239

quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
VendorProductVersion
quic-go_projectquic-go
0.37.0 ≤
𝑥
< 0.37.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-lucas-clemente-quic-go
bullseye
0.19.3-1
fixed
bookworm
0.29.0-1
fixed
trixie
0.46.0-2
fixed
sid
0.46.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-lucas-clemente-quic-go
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
jammy
needs-triage
focal
dne
bionic
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
https://github.com/quic-go/quic-go/releases/tag/v0.37.3
https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
https://github.com/quic-go/quic-go/releases/tag/v0.37.3
https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h