CVE-2024-34161

Name of the Vulnerable Software and Affected Versions NGINX Plus (affected versions not specified) NGINX OSS (affected versions not specified)

Description The issue is related to the use of memory after it has been freed in the HTTP/3 QUIC module (ngx http v3 module) of NGINX Plus and NGINX OSS. This can be exploited by a remote attacker using specially crafted HTTP/3 requests, potentially allowing unauthorized access to protected information. The vulnerability is particularly relevant when the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, as undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

Recommendations For NGINX Plus, consider disabling the HTTP/3 QUIC module until a patch is available. For NGINX OSS, consider disabling the HTTP/3 QUIC module until a patch is available. As a temporary workaround, restrict the Maximum Transmission Unit (MTU) to less than 4096 to minimize the risk of exploitation.