CVE-2026-40170
EUVD-2026-2330216.04.2026, 22:16
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| tatsuhiro-t | ngtcp2 | 𝑥 < 1.22.1 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 | 0:4.23.5-109.el10_2 ≤ 𝑥 < * | ADP |
| Red Hat | Red Hat Enterprise Linux 9 | 0:4.23.5-10.el9_8 ≤ 𝑥 < * | ADP |
| Red Hat | Red Hat Hardened Images | 1.22.1-1.hum1 ≤ 𝑥 < * | ADP |
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||
|---|---|---|---|---|---|---|---|
| nodejs22 |
| ||||||
| nodejs22-devel |
| ||||||
| nodejs22-docs |
| ||||||
| nodejs24 |
| ||||||
| nodejs24-devel |
| ||||||
| nodejs24-docs |
| ||||||
| npm22 |
| ||||||
| npm24 |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||
|---|---|---|---|
| ctdb |
| ||
| ldb-tools |
| ||
| libldb |
| ||
| libldb-devel |
| ||
| libnetapi |
| ||
| libnetapi-devel |
| ||
| libsmbclient |
| ||
| libsmbclient-devel |
| ||
| libwbclient |
| ||
| libwbclient-devel |
| ||
| python3-ldb |
| ||
| python3-samba |
| ||
| python3-samba-dc |
| ||
| python3-samba-test |
| ||
| samba |
| ||
| samba-client |
| ||
| samba-client-libs |
| ||
| samba-common |
| ||
| samba-common-libs |
| ||
| samba-common-tools |
| ||
| samba-dc-libs |
| ||
| samba-dcerpc |
| ||
| samba-devel |
| ||
| samba-gpupdate |
| ||
| samba-krb5-printing |
| ||
| samba-ldb-ldap-modules |
| ||
| samba-libs |
| ||
| samba-pidl |
| ||
| samba-test |
| ||
| samba-test-libs |
| ||
| samba-tools |
| ||
| samba-usershares |
| ||
| samba-vfs-iouring |
| ||
| samba-winbind |
| ||
| samba-winbind-clients |
| ||
| samba-winbind-krb5-locator |
| ||
| samba-winbind-modules |
| ||
| samba-winexe |
|
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| ngtcp2 |
| ||
| ngtcp2-crypto-gnutls |
| ||
| ngtcp2-crypto-gnutls-debuginfo |
| ||
| ngtcp2-crypto-gnutls-devel |
| ||
| ngtcp2-crypto-ossl |
| ||
| ngtcp2-crypto-ossl-debuginfo |
| ||
| ngtcp2-crypto-ossl-devel |
| ||
| ngtcp2-debuginfo |
| ||
| ngtcp2-debugsource |
| ||
| ngtcp2-devel |
| ||
| ngtcp2-doc |
|
Common Weakness Enumeration
- CWE-121 - Stack-based Buffer OverflowA stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
References