Description
QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.
References (6)
Core 6
Core References
Patch
https://go.dev/cl/523039
Issue Tracking
https://go.dev/issue/62266
Mailing List, Release Notes
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
Vendor Advisory
https://pkg.go.dev/vuln/GO-2023-2045
Third Party Advisory
https://security.netapp.com/advisory/ntap-20231020-0004/
Third Party Advisory
https://security.gentoo.org/glsa/202311-09
Scores
CVSS v3
7.5
EPSS
0.0004
EPSS Percentile
12.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (1)
golang/go
1.21.0 - 1.21.1
Published
Sep 08, 2023
Tracked Since
Feb 18, 2026