CVE-2024-34161

2024-05-2916:15:10

Debian Security Bug Tracker

security-tracker.debian.org

nginx

memory leak

quic

http/3

network infrastructure

mtu

fragmentation

worker processes

memory

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

Low

EPSS

Percentile

15.5%

JSON

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

OSVersionArchitecturePackageVersionFilename
Debian12allnginx< 1.22.1-9nginx_1.22.1-9_all.deb
Debian11allnginx< 1.18.0-6.1+deb11u3nginx_1.18.0-6.1+deb11u3_all.deb
Debian999allnginx< 1.26.0-2nginx_1.26.0-2_all.deb
Debian13allnginx< 1.26.0-2nginx_1.26.0-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	nginx	< 1.22.1-9	nginx_1.22.1-9_all.deb
Debian	11	all	nginx	< 1.18.0-6.1+deb11u3	nginx_1.18.0-6.1+deb11u3_all.deb
Debian	999	all	nginx	< 1.26.0-2	nginx_1.26.0-2_all.deb
Debian	13	all	nginx	< 1.26.0-2	nginx_1.26.0-2_all.deb