CVE-2024-32650

Name of the Vulnerable Software and Affected Versions rustls versions prior to 0.21.11 rustls versions prior to 0.22.4 rustls versions prior to 0.23.5

Description The rustls::ConnectionCommon::complete io function could fall into an infinite loop based on network input. When using a blocking rustls server, if a client sends a close notify message immediately after client hello, the server's complete io will get in an infinite loop. This issue can be exploited to cause a denial-of-service (DOS) attack, where a multithreaded non-async server that uses rustls could be attacked by getting few requests like this and stop handling normal requests.

Recommendations For versions prior to 0.21.11, update to version 0.21.11 or later. For versions prior to 0.22.4, update to version 0.22.4 or later. For versions prior to 0.23.5, update to version 0.23.5 or later. As a temporary workaround, consider disabling the complete io function until a patch is available. Restrict access to the rustls::Stream and rustls::StreamOwned types to minimize the risk of exploitation.