{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T21:55:33.175","vulnerabilities":[{"cve":{"id":"CVE-2024-52811","sourceIdentifier":"security-advisories@github.com","published":"2024-11-25T19:15:11.567","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The ngtcp2 project is an effort to implement IETF QUIC protocol in C. In affected versions acks are not validated before being written to the qlog leading to a buffer overflow. In `ngtcp2_conn::conn_recv_pkt` for an ACK, there was new logic that got added to skip `conn_recv_ack` if an ack has already been processed in the payload. However, this causes us to also skip `ngtcp2_pkt_validate_ack`. The ack which was skipped still got written to qlog. The bug occurs in `ngtcp2_qlog::write_ack_frame`. It is now possible to reach this code with an invalid ack, suppose `largest_ack=0` and `first_ack_range=15`. Subtracting `largest_ack - first_ack_range` will lead to an integer underflow which is 20 chars long. However, the ngtcp2 qlog code assumes the number written is a signed integer and only accounts for 19 characters of overhead (see `NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD`). Therefore, we overwrite the buffer causing a heap overflow. This is high priority and could potentially impact many users if they enable qlog. qlog is disabled by default. Due to its overhead, it is most likely used for debugging purpose, but the actual use is unknown. ngtcp2 v1.9.1 fixes the bug and users are advised to upgrade. Users unable to upgrade should not turn on qlog."},{"lang":"es","value":"El proyecto ngtcp2 es un esfuerzo por implementar el protocolo IETF QUIC en C. En las versiones afectadas, los acks no se validan antes de escribirse en el qlog, lo que genera un desbordamiento de búfer. En `ngtcp2_conn::conn_recv_pkt` para un ACK, se agregó una nueva lógica para omitir `conn_recv_ack` si ya se procesó un ack en el payload. Sin embargo, esto hace que también omitamos `ngtcp2_pkt_validate_ack`. El ack que se omitió se escribió en qlog. El error ocurre en `ngtcp2_qlog::write_ack_frame`. Ahora es posible acceder a este código con un ack no válido, supongamos que `largest_ack=0` y `first_ack_range=15`. Restar `largest_ack - first_ack_range` generará un desbordamiento de enteros de 20 caracteres. Sin embargo, el código qlog de ngtcp2 asume que el número escrito es un entero con signo y solo tiene en cuenta 19 caracteres de sobrecarga (consulte `NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD`). Por lo tanto, sobrescribimos el búfer y provocamos un desbordamiento del montón. Esto es de alta prioridad y podría afectar potencialmente a muchos usuarios si habilitan qlog. qlog está deshabilitado de forma predeterminada. Debido a su sobrecarga, lo más probable es que se use con fines de depuración, pero se desconoce su uso real. ngtcp2 v1.9.1 corrige el error y se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar no deben activar qlog."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-670"}]}],"references":[{"url":"https://github.com/ngtcp2/ngtcp2/commit/44b662bd139c23fee1703bf256c13349e2e624a1","source":"security-advisories@github.com"},{"url":"https://github.com/ngtcp2/ngtcp2/commit/e550c1a414318d0f3f01fca1a621ae0b0428ca15","source":"security-advisories@github.com"},{"url":"https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-4gmv-gf46-r4g5","source":"security-advisories@github.com"}]}}]}