Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yeDdtLWdmODUtMzc0Nc4AA587

Remote Denial of Service Vulnerability in Microsoft QUIC

Impact

The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.

Patches

The following patch was made:

Fix Memory Leak from Multiple Decodes of TP - https://github.com/microsoft/msquic/commit/5d070d661c45979946615289e92bb6b822efe9e9

Workarounds

Beyond upgrading to the patched versions, there is no other workaround.

MSRC CVE Info

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26190

Permalink: https://github.com/advisories/GHSA-2x7m-gf85-3745
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeDdtLWdmODUtMzc0Nc4AA587
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 10 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-2x7m-gf85-3745
References:

Repository: https://github.com/microsoft/msquic
Blast Radius: 1.0

Affected Packages

nuget:Microsoft.Native.Quic.MsQuic.OpenSSL

Dependent packages: 0
Dependent repositories: 0
Downloads: total
Affected Version Ranges: >= 2.3.0, < 2.3.5, >= 2.2.0, < 2.2.7, < 2.1.12
Fixed in: 2.3.5, 2.2.7, 2.1.12
All affected versions: 1.8.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.5, 2.1.7, 2.1.8, 2.2.0, 2.2.2, 2.2.3, 2.3.1
All unaffected versions: 2.3.5, 2.3.6, 2.4.3, 2.4.5, 2.4.7

nuget:Microsoft.Native.Quic.MsQuic.Schannel

Dependent packages: 0
Dependent repositories: 0
Downloads: total
Affected Version Ranges: < 2.1.12, >= 2.3.0, < 2.3.5, >= 2.2.0, < 2.2.7
Fixed in: 2.1.12, 2.3.5, 2.2.7
All affected versions: 1.8.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.5, 2.1.7, 2.1.8, 2.2.0, 2.2.2, 2.2.3, 2.3.1
All unaffected versions: 2.3.5, 2.3.6, 2.4.3, 2.4.5, 2.4.7