Name of the Vulnerable Software and Affected Versions qcp versions 0.1.0 through 0.3.2

Description The issue is a crash, or Denial of Service, caused by a dependent package called ring. This crash can be induced by a specially-crafted packet and happens naturally approximately every 1 in 2**32 packets sent and/or received. The crash only occurs when runtime overflow checking is enabled. During qcp file transfer sessions, an attacker can send a specially-crafted packet to trigger this issue, resulting in a Rust panic that immediately aborts the transfer. The impact is limited to a single session, as qcp runs a separate process for every connected user. The qcp protocol itself does not rely on runtime overflow checks for its security.

Recommendations Upgrade to qcp 0.3.3 or later. Alternatively, rebuild qcp locally with runtime overflow checks disabled. Rebuild qcp locally using a fixed version of the ring dependency (0.17.12 or later).