CVE-2026-40170

EUVD-2026-23302
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
tatsuhiro-tngtcp2
𝑥
< 1.22.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
Red HatRed Hat Enterprise Linux 10
0:4.23.5-109.el10_2 ≤
𝑥
< *
ADP
Red HatRed Hat Enterprise Linux 9
0:4.23.5-10.el9_8 ≤
𝑥
< *
ADP
Red HatRed Hat Hardened Images
1.22.1-1.hum1 ≤
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
ngtcp2
bookworm
0.12.1+dfsg-1+deb12u1
fixed
bookworm (security)
0.12.1+dfsg-1+deb12u1
fixed
forky
1.22.1-1
fixed
sid
1.22.1-1
fixed
trixie
1.11.0-1+deb13u1
fixed
trixie (security)
1.11.0-1+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ngtcp2
jammy
Fixed 0.1.0+dfsg-1ubuntu0.1~esm1
released
noble
Fixed 0.12.1+dfsg-1+deb12u1build0.24.04.1
released
questing
Fixed 1.11.0-1+deb13u1build0.25.10.1
released
resolute
Fixed 1.16.0-1ubuntu0.1
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
nodejs22
suse enterprise sap 15 SP7
22.23.0-150700.3.12.1
fixed
suse enterprise server 15 SP6
22.23.0-150600.13.18.1
fixed
suse enterprise server 15 SP7
22.23.0-150700.3.12.1
fixed
nodejs22-devel
suse enterprise sap 15 SP7
22.23.0-150700.3.12.1
fixed
suse enterprise server 15 SP6
22.23.0-150600.13.18.1
fixed
suse enterprise server 15 SP7
22.23.0-150700.3.12.1
fixed
nodejs22-docs
suse enterprise sap 15 SP7
22.23.0-150700.3.12.1
fixed
suse enterprise server 15 SP6
22.23.0-150600.13.18.1
fixed
suse enterprise server 15 SP7
22.23.0-150700.3.12.1
fixed
nodejs24
suse enterprise sap 15 SP7
24.17.0-150700.15.11.1
fixed
suse enterprise server 15 SP7
24.17.0-150700.15.11.1
fixed
nodejs24-devel
suse enterprise sap 15 SP7
24.17.0-150700.15.11.1
fixed
suse enterprise server 15 SP7
24.17.0-150700.15.11.1
fixed
nodejs24-docs
suse enterprise sap 15 SP7
24.17.0-150700.15.11.1
fixed
suse enterprise server 15 SP7
24.17.0-150700.15.11.1
fixed
npm22
suse enterprise sap 15 SP7
22.23.0-150700.3.12.1
fixed
suse enterprise server 15 SP6
22.23.0-150600.13.18.1
fixed
suse enterprise server 15 SP7
22.23.0-150700.3.12.1
fixed
npm24
suse enterprise sap 15 SP7
24.17.0-150700.15.11.1
fixed
suse enterprise server 15 SP7
24.17.0-150700.15.11.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
ctdb
RHEL 9
0:4.23.5-10.el9_8
fixed
ldb-tools
RHEL 9
0:4.23.5-10.el9_8
fixed
libldb
RHEL 9
0:4.23.5-10.el9_8
fixed
libldb-devel
RHEL 9
0:4.23.5-10.el9_8
fixed
libnetapi
RHEL 9
0:4.23.5-10.el9_8
fixed
libnetapi-devel
RHEL 9
0:4.23.5-10.el9_8
fixed
libsmbclient
RHEL 9
0:4.23.5-10.el9_8
fixed
libsmbclient-devel
RHEL 9
0:4.23.5-10.el9_8
fixed
libwbclient
RHEL 9
0:4.23.5-10.el9_8
fixed
libwbclient-devel
RHEL 9
0:4.23.5-10.el9_8
fixed
python3-ldb
RHEL 9
0:4.23.5-10.el9_8
fixed
python3-samba
RHEL 9
0:4.23.5-10.el9_8
fixed
python3-samba-dc
RHEL 9
0:4.23.5-10.el9_8
fixed
python3-samba-test
RHEL 9
0:4.23.5-10.el9_8
fixed
samba
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-client
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-client-libs
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-common
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-common-libs
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-common-tools
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-dc-libs
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-dcerpc
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-devel
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-gpupdate
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-krb5-printing
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-ldb-ldap-modules
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-libs
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-pidl
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-test
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-test-libs
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-tools
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-usershares
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-vfs-iouring
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-winbind
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-winbind-clients
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-winbind-krb5-locator
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-winbind-modules
RHEL 9
0:4.23.5-10.el9_8
fixed
samba-winexe
RHEL 9
0:4.23.5-10.el9_8
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ngtcp2
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-crypto-gnutls
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-crypto-gnutls-debuginfo
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-crypto-gnutls-devel
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-crypto-ossl
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-crypto-ossl-debuginfo
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-crypto-ossl-devel
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-debuginfo
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-debugsource
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-devel
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed
ngtcp2-doc
Amazon Linux 2023
0:1.21.0-1.amzn2023.0.2
fixed