Tatsuhiro-T

**Name of the Vulnerable Software and Affected Versions** ngtcp2 versions prior to 1.9.1 **Description** The issue arises from the lack of validation of acks before they are written to the qlog, leading to a buffer overflow. This occurs in the `ngtcp2 conn::conn recv pkt` function when handling an ACK, where new logic skips `conn recv ack` if an ack has already been processed in the payload, but also inadvertently skips `ngtcp2 pkt validate ack`. As a result, an invalid ack can be written to the qlog, potentially causing an integer underflow when `largest ack=0` and `first ack range=15`. This underflow leads to a heap overflow because the ngtcp2 qlog code assumes the number written is a signed integer and only accounts for 19 characters of overhead. The `ngtcp2 qlog::write ack frame` function is where the bug manifests. Although qlog is disabled by default due to its overhead and is likely used for debugging purposes, the actual use is unknown, and this could potentially impact many users if they enable qlog. **Recommendations** For versions prior to 1.9.1, upgrade to version 1.9.1 to fix the bug. For users unable to upgrade, do not turn on qlog as a temporary workaround to minimize the risk of exploitation.