PT-2024-9120 · Quic-Go+2 · Quic-Go+2

Marten-Seemann

·

Published

2024-11-19

·

Updated

2025-09-29

·

CVE-2024-53259

CVSS v3.1

6.5

Medium

VectorAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions: quic-go versions prior to 0.48.2
Description: An off-path attacker can inject an ICMP Packet Too Large packet, disrupting a QUIC connection by setting the MTU value to smaller than 1200 bytes. This can be done after the handshake completion, circumventing any TCP fallback. The attacker needs to know the client's IP and port tuple to mount an attack.
Recommendations: For versions prior to 0.48.2, upgrade to version 0.48.2 to fix the vulnerability. As a temporary workaround, consider using IP PMTUDISC PROBE instead of IP PMTUDISC DO to disable the kernel's MTU tracking. Alternatively, use iptables to drop ICMP Unreachable packets to minimize the risk of exploitation.

Exploit

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

ALSA-2025_16880
ALT-PU-2025-7475
AZL-53807
AZL-53818
BDU:2024-10806
CVE-2024-53259
GHSA-PX8V-PP82-RCVR
GO-2024-3302
OPENSUSE-SU-2024:14544-1
OPENSUSE-SU-2024:14567-1
RHSA-2024:10766

Affected Products

Alt Linux
Debian
Quic-Go