CVE-2026-40170
Severity
High
CVSS score
7.5Package
ngtcp2Affected versions
>= 1.11.0-1, < 1.11.0-1+deb13u1ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, the function ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without performing bounds checking. If qlog is enabled, a remote peer can send excessively large transport parameters during the QUIC handshake, leading to writes that exceed the buffer boundary and resulting in a stack buffer overflow. This vulnerability affects deployments that have the qlog callback enabled and process untrusted peer transport parameters. The issue has been addressed in version 1.22.1. If developers cannot upgrade immediately, they can disable the qlog on the client.
NVD Record:
References:
- https://github.com/ngtcp2/ngtcp2/commit/708a7640c1f48fb8ffb540c4b8ea5b4c1dfb8ee5
- https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f
- http://www.openwall.com/lists/oss-security/2026/04/17/12
- https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f