CVE-2024-52811: Acks not validated before logged to qlog leads to buffer overflow in ngtcp2

Published Nov 25, 2024
·
Updated

The ngtcp2 project is an effort to implement IETF QUIC protocol in C. In affected versions acks are not validated before being written to the qlog leading to a buffer overflow. In `ngtcp2_conn::conn_recv_pkt` for an ACK, there was new logic that got added to skip `conn_recv_ack` if an ack has already been processed in the payload. However, this causes us to also skip `ngtcp2_pkt_validate_ack`. The ack which was skipped still got written to qlog. The bug occurs in `ngtcp2_qlog::write_ack_frame`. It is now possible to reach this code with an invalid ack, suppose `largest_ack=0` and `first_ack_range=15`. Subtracting `largest_ack - first_ack_range` will lead to an integer underflow which is 20 chars long. However, the ngtcp2 qlog code assumes the number written is a signed integer and only accounts for 19 characters of overhead (see `NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD`). Therefore, we overwrite the buffer causing a heap overflow. This is high priority and could potentially impact many users if they enable qlog. qlog is disabled by default. Due to its overhead, it is most likely used for debugging purpose, but the actual use is unknown. ngtcp2 v1.9.1 fixes the bug and users are advised to upgrade. Users unable to upgrade should not turn on qlog.

Affected Software

1 affected component
ngtcp2 ngtcp2=

Event History

Nov 25, 2024
CVE Published
via MITRE·06:55 PM
Data Sourced
via MITRE·06:55 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeakness
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-52811?

The severity of CVE-2024-52811 is classified as high due to the potential for a buffer overflow leading to exploitation.

2

How do I fix CVE-2024-52811?

To fix CVE-2024-52811, upgrade ngtcp2 to version 1.9.1 or later where the vulnerability has been addressed.

3

What versions of ngtcp2 are affected by CVE-2024-52811?

CVE-2024-52811 affects ngtcp2 versions prior to 1.9.1.

4

What type of vulnerability is CVE-2024-52811?

CVE-2024-52811 is a buffer overflow vulnerability related to ACK validation in the ngtcp2 implementation of the QUIC protocol.

5

Who is impacted by CVE-2024-52811?

Users and developers relying on vulnerable versions of ngtcp2 for their applications are impacted by CVE-2024-52811.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203