CVE-2024-24990

The affected software includes NGINX Plus and NGINX OSS, specifically when configured to use the HTTP/3 QUIC module. This issue may allow a remote attacker to cause a denial of service due to undisclosed requests that can cause worker processes to terminate. The HTTP/3 QUIC module is not enabled by default and is considered experimental. An exploit is available, but details are not provided here. The issue is related to the use of memory after it has been freed, which can be exploited by a remote attacker to cause a denial of service. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Vulnerable versions are not specified, but software versions which have reached End of Technical Support (EoTS) are not evaluated. #NGINX #NGINXPlus #HTTP3 #QUIC #cybersecurity #infosec #nginxoss #denialofservice