Vulnerability Report: GO-2023-2045

standard library

CVE-2023-39322
Affects: crypto/tls
Published: Sep 07, 2023
Modified: May 20, 2024

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

Affected Packages

Path

Go Versions

Symbols
crypto/tls

from go1.21.0-0 before go1.21.1
- QUICConn.HandleData

Aliases

CVE-2023-39322

References

https://go.dev/issue/62266
https://go.dev/cl/523039
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
https://vuln.go.dev/ID/GO-2023-2045.json

Credits

Marten Seemann

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL