CVE-2024-1765 Unlimited resource allocation by QUIC CRYPTO frames flooding in quiche

2024-03-1218:04:54

CWE-770

CWE-400

cloudflare

www.cve.org

quic crypto frames

cloudflare quiche

unlimited resource allocation

memory usage

system vulnerability

remote attacker

1-rtt

quic handshake

exploitation

connection duration

fix

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

9.0%

JSON

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.
A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.
Exploitation was possible for the duration of the connection which could be extended by the attacker.
quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "quiche",
    "platforms": [
      "Rust"
    ],
    "product": "quiche",
    "vendor": "Cloudflare",
    "versions": [
      {
        "lessThanOrEqual": "<0.19.1",
        "status": "affected",
        "version": "0.15.0",
        "versionType": "semver"
      },
      {
        "lessThan": "<0.20.1",
        "status": "affected",
        "version": "0.20.0",
        "versionType": "semver"
      }
    ]
  }
]