CVE-2023-46239
HIGHquic-go 0.37.0-0.37.3 - Denial of Service via Handshake Packet Number Space
Title source: llmDescription
quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
Patch x_refsource_misc
https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
Release Notes x_refsource_misc
https://github.com/quic-go/quic-go/releases/tag/v0.37.3
Scores
CVSS v3
7.5
EPSS
0.0076
EPSS Percentile
50.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-248
CWE-476
Status
published
Products (2)
quic-go/quic-go
0.37.0 - 0.37.3Go
quic-go_project/quic-go
0.37.0 - 0.37.3
Published
Oct 31, 2023
Tracked Since
Feb 18, 2026