We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-46239

quic-go vulnerable to pointer dereference that can lead to panic



Description

quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.

Reserved 2023-10-19 | Published 2023-10-31 | Updated 2024-09-05 | Assigner GitHub_M


HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-248: Uncaught Exception

Product status

>= 0.37.0, < 0.37.3
affected

References

github.com/...uic-go/security/advisories/GHSA-3q6m-v84f-6p9h

github.com/...ommit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617

github.com/quic-go/quic-go/releases/tag/v0.37.3

cve.org (CVE-2023-46239)

nvd.nist.gov (CVE-2023-46239)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-46239

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.

© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.