CVE-2024-34161

CWE-416 — Use After Free6 documents6 sources

Severity

5.3MEDIUM

EPSS

0.7%

top 27.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Open Source F5 Nginx Plus Fedoraproject Fedora

Timeline

PublishedMay 29

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5f5/nginx_plusR30 — R32

▶NVDf5/nginx_plusr30, r31+1

▶CVEListV5f5/nginx_open_source1.25.0 — 1.26.1

▶NVDf5/nginx_open_source1.25.0 — 1.26.1

▶Debiannginx< 1.26.0-2+1

Also affects: Fedora 39, 40

🔴Vulnerability Details

CVEList

NGINX HTTP/3 QUIC vulnerability↗2024-05-29

▶

OSV

CVE-2024-34161: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of↗2024-05-29

▶

📋Vendor Advisories

Red Hat

nginx: undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory↗2024-05-29

▶

CVE-2024-34161: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a M...↗2024-05-29

▶

Debian

CVE-2024-34161: nginx - When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and th...↗2024

▶