7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
37.8%
QUIC connections do not set an upper bound on the amount of data buffered
when reading post-handshake messages, allowing a malicious QUIC connection
to cause unbounded memory growth. With fix, connections now consistently
reject messages larger than 65KiB in size.
Author | Note |
---|---|
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. |
sbeattie | only affects golang-1.21 |
github.com/golang/go/commit/91a4e74b98179f63a27dbff1ad68ddd0ed64363a (go1.21.1)
go.dev/cl/523039
go.dev/issue/62266
groups.google.com/g/golang-announce/c/Fm51GRLNRvM
groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
launchpad.net/bugs/cve/CVE-2023-39322
nvd.nist.gov/vuln/detail/CVE-2023-39322
pkg.go.dev/vuln/GO-2023-2045
security-tracker.debian.org/tracker/CVE-2023-39322
www.cve.org/CVERecord?id=CVE-2023-39322