CVE-2024-22189

Name of the Vulnerable Software and Affected Versions quic-go versions prior to 0.42.0

Description The issue is related to the QUIC protocol implementation in quic-go, where an attacker can cause its peer to run out of memory by sending a large number of NEW CONNECTION ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE CONNECTION ID frame. However, the attacker can prevent the receiver from sending out these RETIRE CONNECTION ID frames by collapsing the peer's congestion window and manipulating the peer's RTT estimate.

Recommendations For quic-go versions prior to 0.42.0, update to version 0.42.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of NEW CONNECTION ID frames until a patch is available. Avoid using the NEW CONNECTION ID frame in the affected API endpoint until the issue is resolved.