CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
27.9%
quic-go is an implementation of the QUIC protocol in Go. Starting in
version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame
after the CRYTPO that allows a node to complete the handshake, a remote
node could trigger a nil pointer dereference (leading to a panic) when the
node attempted to drop the Handshake packet number space. An attacker can
bring down a quic-go node with very minimal effort. Completing the QUIC
handshake only requires sending and receiving a few packets. Version 0.37.3
contains a patch. Versions before 0.37.0 are not affected.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | golang-github-lucas-clemente-quic-go | < any | UNKNOWN |
ubuntu | 24.04 | noarch | golang-github-lucas-clemente-quic-go | < any | UNKNOWN |
github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617 (v0.37.3)
github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
launchpad.net/bugs/cve/CVE-2023-46239
nvd.nist.gov/vuln/detail/CVE-2023-46239
security-tracker.debian.org/tracker/CVE-2023-46239
www.cve.org/CVERecord?id=CVE-2023-46239
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
27.9%