CVE-2024-32760

Name of the Vulnerable Software and Affected Versions NGINX Plus (affected versions not specified) NGINX OSS (affected versions not specified)

Description The issue is related to the HTTP/3 QUIC module in NGINX Plus and NGINX OSS. It involves undisclosed HTTP/3 encoder instructions that can cause NGINX worker processes to terminate or have other potential impacts. The vulnerability is also described as a buffer overflow in memory, which can be exploited by a remote attacker using specially crafted HTTP/3 requests to cause a denial of service.

Recommendations For NGINX Plus, consider disabling the HTTP/3 QUIC module until a patch is available. For NGINX OSS, consider disabling the HTTP/3 QUIC module until a patch is available. As a temporary workaround, restrict access to the ngx http v3 module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.