CVE-2024-53259
published 2024-12-02CVE-2024-53259: quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used…
PriorityP429medium6.5CVSS 3.1
AVAACLPRNUINSUCNINAH
EPSS
0.61%
44.6th percentile
quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). The attacker needs to at least know the client's IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-lucas-clemente-quic-go | < golang-github-lucas-clemente-quic-go 0.50.0-1 (forky) | golang-github-lucas-clemente-quic-go 0.50.0-1 (forky) |
| github.com | quic-go_quic-go | >= 0 < 0.48.2 | 0.48.2 |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | traefik_traefik_v3 | >= 0 < 3.2.2 | 3.2.2 |
| msrc | azl3_coredns_1.11.4-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_coredns_1.11.4-6_on_azure_linux_3.0 | — | — |
| msrc | cbl2_coredns_1.11.1-15_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_coredns_1.11.1-18_on_cbl_mariner_2.0 | — | — |
| quic-go | quic-go | < 0.48.2 | 0.48.2 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
vendor_msrc·2024-12-10·CVSS 6.5
CVE-2024-53259 [MEDIUM] CWE-345 quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Ref
Red Hat
quic-go: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
vendor_redhat·2024-12-02·CVSS 6.5
CVE-2024-53259 [MEDIUM] CWE-345 quic-go: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
quic-go: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). T
Debian
CVE-2024-53259: golang-github-lucas-clemente-quic-go - quic-go is an implementation of the QUIC protocol in Go. An off-path attacker ca...
vendor_debian·2024·CVSS 6.5
CVE-2024-53259 [MEDIUM] CVE-2024-53259: golang-github-lucas-clemente-quic-go - quic-go is an implementation of the QUIC protocol in Go. An off-path attacker ca...
quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). The attacker needs to at least know the client's IP and port tuple to mount an att
OSV
Traefik affected by CVE-2024-53259 in github.com/traefik/traefik
osv·2024-12-20·CVSS 6.5
CVE-2024-53259 [MEDIUM] Traefik affected by CVE-2024-53259 in github.com/traefik/traefik
Traefik affected by CVE-2024-53259 in github.com/traefik/traefik
Traefik affected by CVE-2024-53259 in github.com/traefik/traefik
OSV
Traefik affected by CVE-2024-53259
osv·2024-12-17·CVSS 6.5
CVE-2024-53259 [MEDIUM] Traefik affected by CVE-2024-53259
Traefik affected by CVE-2024-53259
There is a potential vulnerability in Traefik managing HTTP/3 connections.
More details in the [CVE-2024-53259](https://nvd.nist.gov/vuln/detail/CVE-2024-53259).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.15
- https://github.com/traefik/traefik/releases/tag/v3.2.2
## Workarounds
No workaround
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
GHSA
Traefik affected by CVE-2024-53259
ghsa·2024-12-17·CVSS 6.5
CVE-2024-53259 [MEDIUM] Traefik affected by CVE-2024-53259
Traefik affected by CVE-2024-53259
There is a potential vulnerability in Traefik managing HTTP/3 connections.
More details in the [CVE-2024-53259](https://nvd.nist.gov/vuln/detail/CVE-2024-53259).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.15
- https://github.com/traefik/traefik/releases/tag/v3.2.2
## Workarounds
No workaround
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
OSV
ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go
osv·2024-12-04
CVE-2024-53259 ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go
ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go
ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go
GHSA
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
ghsa·2024-12-02
CVE-2024-53259 [MEDIUM] CWE-345 quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
### Impact
An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used `IP_PMTUDISC_DO`, the kernel would then return a "message too large" error on `sendmsg`, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.
By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).
As far as I understand, the kernel tracks the MTU
OSV
CVE-2024-53259: quic-go is an implementation of the QUIC protocol in Go
osv·2024-12-02·CVSS 6.5
CVE-2024-53259 [MEDIUM] CVE-2024-53259: quic-go is an implementation of the QUIC protocol in Go
quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). The attacker needs to at least know the client's IP and port tuple to mount an att
OSV
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
osv·2024-12-02
CVE-2024-53259 [MEDIUM] quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
### Impact
An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used `IP_PMTUDISC_DO`, the kernel would then return a "message too large" error on `sendmsg`, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.
By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).
As far as I understand, the kernel tracks the MTU
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-53259 quic-go: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
bugzilla·2024-12-02·CVSS 6.5
CVE-2024-53259 [MEDIUM] CVE-2024-53259 quic-go: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
CVE-2024-53259 quic-go: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC
Bugzilla
CVE-2024-53259 caddy: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux [epel-9]
bugzilla·2024-12-02·CVSS 6.5
CVE-2024-53259 [MEDIUM] CVE-2024-53259 caddy: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux [epel-9]
CVE-2024-53259 caddy: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux [epel-9]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2329991
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2024-53259 caddy: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux [epel-8]
bugzilla·2024-12-02·CVSS 6.5
CVE-2024-53259 [MEDIUM] CVE-2024-53259 caddy: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux [epel-8]
CVE-2024-53259 caddy: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux [epel-8]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2329991
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
2024-12-02
Published