CVE-2023-39322

Name
CVE-2023-39322
Description
QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
MISC https://go.dev/cl/523039
MISC https://go.dev/issue/62266
MISC https://pkg.go.dev/vuln/GO-2023-2045
Third Party Advisory https://security.netapp.com/advisory/ntap-20231020-0004/
https://security.gentoo.org/glsa/202311-09

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.21.0 < 1.21.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status