CVE-2023-46239

Name of the Vulnerable Software and Affected Versions quic-go versions 0.37.0 through 0.37.2

Description The issue arises from serializing an ACK frame after the CRYPTO frame, allowing a node to complete the handshake. This can trigger a nil pointer dereference when the node attempts to drop the Handshake packet number space, leading to a panic. An attacker can bring down a quic-go node with minimal effort by completing the QUIC handshake, which requires sending and receiving only a few packets.

Recommendations For quic-go versions 0.37.0 through 0.37.2, update to version 0.37.3 to resolve the issue. As a temporary workaround, consider restricting access to the QUIC handshake protocol until the patch is applied.