CVE-2024-1765: quiche vulnerable to unlimited resource allocation by QUIC CRYPTO frames flooding
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.
A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker.
References
- github.com/advisories/GHSA-78wx-jg4j-5j6g
- github.com/cloudflare/quiche
- github.com/cloudflare/quiche/commit/1017466c143fc93a82b286a1ba35e53334cdf8e2
- github.com/cloudflare/quiche/commit/11dbf5461ab657bbc02e466d719070124b27ef3c
- github.com/cloudflare/quiche/releases/tag/0.19.2
- github.com/cloudflare/quiche/releases/tag/0.20.1
- github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g
- nvd.nist.gov/vuln/detail/CVE-2024-1765
Code Behaviors & Features
Detect and mitigate CVE-2024-1765 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →