CVE-2024-1765

MEDIUM

Cloudflare Quiche < 0.19.2 - Denial of Service via 1-RTT CRYPTO Frame Flood

Title source: llm

Description

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker. quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g

Scores

CVSS v3 5.9

EPSS 0.0118

EPSS Percentile 63.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400 CWE-770

Status published

Products (3)

cloudflare/quiche 0.20.0

cloudflare/quiche < 0.19.2

crates.io/quiche 0 - 0.19.2crates.io

Published Mar 12, 2024

Tracked Since Feb 18, 2026